From owner-freebsd-arch Tue Oct 19 10:39:23 1999 Delivered-To: freebsd-arch@freebsd.org Received: from ns1.yes.no (ns1.yes.no [195.204.136.10]) by hub.freebsd.org (Postfix) with ESMTP id DD91B14F30 for ; Tue, 19 Oct 1999 10:39:10 -0700 (PDT) (envelope-from eivind@bitbox.follo.net) Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218]) by ns1.yes.no (8.9.3/8.9.3) with ESMTP id TAA12300 for ; Tue, 19 Oct 1999 19:39:09 +0200 (CEST) Received: (from eivind@localhost) by bitbox.follo.net (8.8.8/8.8.6) id TAA86742 for freebsd-arch@freebsd.org; Tue, 19 Oct 1999 19:39:09 +0200 (MET DST) Received: from gw.nectar.com (gw.nectar.com [209.98.143.44]) by hub.freebsd.org (Postfix) with ESMTP id 407C21740F for ; Tue, 19 Oct 1999 10:36:06 -0700 (PDT) (envelope-from nectar@nectar.com) Received: from spawn.nectar.com (localhost [127.0.0.1]) by gw.nectar.com (Postfix) with ESMTP id D8DCFC008; Tue, 19 Oct 1999 12:35:53 -0500 (CDT) To: des@flood.ping.uio.no Cc: freebsd-arch@freebsd.org Subject: Re: kern.securelevel and X From: Jacques Vidrine In-Reply-To: References: <19991018152147.609F71DA3@bone.nectar.com> X-Mailer: Mew version 1.94 on XEmacs 21.1 (20 Minutes to Nikko) X-PGP-RSAfprint: 00 F9 E6 A2 C5 4D 0A 76 26 8B 8B 57 73 D0 DE EE X-PGP-RSAkey: http://www.nectar.com/nectar-rsa.txt X-PGP-DSSfprint: AB2F 8D71 A4F4 467D 352E 8A41 5D79 22E4 71A2 8C73 X-PGP-DHfprint: 2D50 12E5 AB38 60BA AF4B 0778 7242 4460 1C32 F6B1 X-PGP-DH-DSSkey: http://www.nectar.com/nectar-dh-dss.txt Date: Tue, 19 Oct 1999 12:35:53 -0500 Message-Id: <19991019173553.D8DCFC008@gw.nectar.com> Sender: owner-freebsd-arch@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On 18 Oct 1999 18:30:20 +0200, Dag-Erling Smorgrav wrote: > Why are you so obsessed with jail(2)? There is no reason for this to > be jail(2)-specific. As I told you on IRC: > > 03:21 #bsdcode Nectar> DES: securelevel == systemwide, jail == process based > 03:22 #bsdcode ---------> nectar: no, you're not ambitious enough 8) I suppose that is fair: you misunderstood my remark, and I didn't get yours (I thought you were being sarcastic). What I was trying to indicate is that one facet of jail is analogous to securelevel (both limit the operations available to even the superuser). Both securelevel and that particular facet of jail should, IMHO, share a common implementation. Just so you don't accuse me of obsessing again :-) let me explain further. The jail system call as it exists in -CURRENT actually does three different things: it calls chroot, it restricts TCP/IP IPC, and it restricts certain operations. These three things don't necessarily belong together. It is the last aspect that I am comparing to securelevel, and that I've been talking about. Excuse me for using an existing system call as a reference point :-P I pretty much agree with the rest of your message. Off to see Markm talk about FreeBSD security. :-) Later, Jacques Vidrine / n@nectar.com / nectar@FreeBSD.org To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-arch" in the body of the message