Date: Thu, 28 Feb 2002 06:32:09 +0000 From: Rasputin <rasputin@submonkey.net> To: Randy Kunkee <randy@randallkunkee.com> Cc: stable@freebsd.org Subject: Re: running securelevel 2 and X Message-ID: <20020228063209.B45581@shikima.mine.nu> In-Reply-To: <3C7DE275.B8DE1205@randallkunkee.com>; from randy@randallkunkee.com on Thu, Feb 28, 2002 at 01:55:33AM -0600 References: <3C7DE275.B8DE1205@randallkunkee.com>
next in thread | previous in thread | raw e-mail | index | archive | help
* Randy Kunkee <randy@randallkunkee.com> [020228 01:17]: > I just upgraded to 4.5-stable and it reset my securelevel to 2 and > enabled. Of course, X would not come up, x86OpenConsole failed with > this KDENABIO error. The documentation I found on this suggests two > solutions, both of which advise using XDM. First, running XDM from > /etc/ttys, did not work, producing the same error. The second one, > running as a full daemon from /usr/local/etc/rc.d does work, as long as > I add a short sleep to give XDM time to start before securelevel is > changed by init after finishing the startup scripts. The downside of > this is that if I ever abort XDM for some reason, I won't be able to > restart it, nor will I be able to start X directly (and playing with > XDM is enough fun in itself anyway). No, the idea behind running XDM is that if that opens /dev/io before the securelevel is raised, it will be allowed to keep it open. Since xdm only starts once, you don't have trouble getting into an X session once you log out like you would using startx. > Perhaps I have a conflict of interest. I want to run X and be secure. > Is running X such a big gaping security hole that I'm left with my > current solution (to restart X, I must reboot!)? In a word, yes. X needed direct access to /dev/io last time I looked. > Is there no reasonable change that could be made to the OS to grant access > to let the X server do its thing (ie. allow running startx) without > disarming the securelevel feature completely? There was a patch out about a year ago to use the 'aperture driver', which basically opens a hole for X to squirt through. Search the lists, not sure if it would apply to STABLE cleanly. -- Be braver -- you can't cross a chasm in two small jumps. Rasputin :: Jack of All Trades - Master of Nuns :: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020228063209.B45581>