From owner-freebsd-doc@FreeBSD.ORG Sun Nov 12 13:40:43 2006 Return-Path: X-Original-To: freebsd-doc@hub.freebsd.org Delivered-To: freebsd-doc@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 900D616A5A6 for ; Sun, 12 Nov 2006 13:40:43 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id A3AB043D53 for ; Sun, 12 Nov 2006 13:40:37 +0000 (GMT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.13.4/8.13.4) with ESMTP id kACDebQr063933 for ; Sun, 12 Nov 2006 13:40:37 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.13.4/8.13.4/Submit) id kACDebxu063932; Sun, 12 Nov 2006 13:40:37 GMT (envelope-from gnats) Date: Sun, 12 Nov 2006 13:40:37 GMT Message-Id: <200611121340.kACDebxu063932@freefall.freebsd.org> To: freebsd-doc@FreeBSD.org From: Giorgos Keramidas Cc: Subject: Re: docs/104403: man security should mention that the usage of the X Window Systen is only possible with kern.securitylevel=-1 X-BeenThere: freebsd-doc@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Giorgos Keramidas List-Id: Documentation project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 12 Nov 2006 13:40:43 -0000 The following reply was made to PR docs/104403; it has been noted by GNATS. From: Giorgos Keramidas To: Niclas Zeising Cc: bug-followup@freebsd.org Subject: Re: docs/104403: man security should mention that the usage of the X Window Systen is only possible with kern.securitylevel=-1 Date: Sun, 12 Nov 2006 14:37:44 +0100 On 2006-11-12 10:52, Niclas Zeising wrote: >Giorgos Keramidas wrote: >>> With kern.securitylevel=0 or higher it is not possible to start X. >> >> You can still use `xdm' or a similar way of starting X11, because >> it will be started by init(8) before the securelevel is raised by >> the `/etc/rc.d/securelevel' script. >> >> I don't think this is worth mentioning in security(7), because >> we can't possibly document *ALL* the possible things that can >> fail with a bumped securelevel. > > It it probably worth mentioning somewhere, as it will avoid some foot > shooting from unaware users. One can discuss though that if the extra > security provided by the security level is needed, maybe the system > shouldn't run X in the first place. I'm not sure. Should we also mention that you can't "installworld" with an elevated securelevel, because chflags may fail to work and cause problems? Should we also mention that not being able to change the firewall rules can be tricky, if you are testing your new firewall ruleset, and get locked out? There are *MANY* ways in which an elevated securelevel can turn around and bite you in the ass, but do we _really_ have to enumerate them all in mind-boggingly detail? ... in a single manpage? I really don't know.