From owner-freebsd-chat@FreeBSD.ORG Tue Jun 29 18:24:49 2004 Return-Path: Delivered-To: freebsd-chat@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DA57316A4CE for ; Tue, 29 Jun 2004 18:24:49 +0000 (GMT) Received: from magellan.palisadesys.com (magellan.palisadesys.com [192.188.162.211]) by mx1.FreeBSD.org (Postfix) with ESMTP id A750343D2D for ; Tue, 29 Jun 2004 18:24:49 +0000 (GMT) (envelope-from ghelmer@palisadesys.com) Received: from [192.188.162.240] (ghelmer@volans.palisadesys.com [192.188.162.240]) (authenticated bits=0)i5TINnZg079126; Tue, 29 Jun 2004 13:23:49 -0500 (CDT) (envelope-from ghelmer@palisadesys.com) Message-ID: <40E1B3B5.1020906@palisadesys.com> Date: Tue, 29 Jun 2004 13:23:49 -0500 From: Guy Helmer User-Agent: Mozilla Thunderbird 0.7 (X11/20040628) X-Accept-Language: en-us, en MIME-Version: 1.0 To: Kevin Lyons References: <40E1A6C0.2040406@ofdengineering.com> In-Reply-To: <40E1A6C0.2040406@ofdengineering.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit cc: freebsd-chat@freebsd.org Subject: Re: "TrustedBSD" addons X-BeenThere: freebsd-chat@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Non technical items related to the community List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 29 Jun 2004 18:24:50 -0000 Kevin Lyons wrote: > I was reading with some surprise that some of the MAC and other > "addons" from trusted bsd are to be incorporated. Old news. > I can already see the security advisories for these things like we've > had for tcpwrapper, kerberos, heimdal, jail, openssl, etcetera ad > infinitum. How many of these were developed as part of BSD? One: jail. > Is this the right way to go? We're adding more bloat while openbsd is > cleaning itself and reworking kernal memory allocation to make > exploits near impossible. That's great work. Now, let's build on that so that the entire system is properly compartmentalized (i.e., MAC). > I dloaded 5.2 but haven't installed yet. I hope there is a way to > disable the MAC and other of these "trustedbsd features" that seem to > keep DARPA funded userland people busy. Is it so much harder to look a little more deeply at the sytem than to write a troll/rant? Yes, MAC is a group of kernel compile options, and they are not shipped as part of the GENERIC kernel. From /sys/conf/NOTES: # Support for Mandatory Access Control (MAC): options MAC options MAC_BIBA options MAC_BSDEXTENDED options MAC_DEBUG options MAC_IFOFF options MAC_LOMAC options MAC_MLS options MAC_NONE options MAC_PARTITION options MAC_PORTACL options MAC_SEEOTHERUIDS options MAC_STUB options MAC_TEST Please take a look at the TrustedBSD implementation before ranting about "DARPA funded userland people". There are good reasons why these people were funded. Guy