From owner-freebsd-hackers Thu Apr 1 18:18: 9 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from apollo.backplane.com (apollo.backplane.com [209.157.86.2]) by hub.freebsd.org (Postfix) with ESMTP id A68BA1517F for ; Thu, 1 Apr 1999 18:18:08 -0800 (PST) (envelope-from dillon@apollo.backplane.com) Received: (from dillon@localhost) by apollo.backplane.com (8.9.3/8.9.1) id SAA63090; Thu, 1 Apr 1999 18:17:48 -0800 (PST) (envelope-from dillon) Date: Thu, 1 Apr 1999 18:17:48 -0800 (PST) From: Matthew Dillon Message-Id: <199904020217.SAA63090@apollo.backplane.com> To: Sean Eric Fagan Cc: hackers@FreeBSD.ORG Subject: Re: Suggestion: loosen slightly securelevel>1 time change restriction References: <199904020033.QAA09981@medusa.kfu.com> <199904020137.RAA18306@kithrup.com> Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG :In article <199904020130.RAA61810.kithrup.freebsd.hackers@apollo.backplane.com> you write: :> the fact that Kerberos will fail of the time isn't synchronized between :> machines and that NFS and many other subsystems will do weird things :> when the time is out of sync between machines. The 'protection' :> that securelevel is giving us, in regards to the time, is zip. : :I can't tell if this is an april fool's joke as well. : :The purpose of prohibiting setting the time backwards is to prevent a cracker :from changing the ctime of a file to before he actually changed it. This :change means you can do security audits more easily. The current securelevel solution is a half-assed solution, IMHO. It creates more problems then it solves. -Matt Matthew Dillon To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message