Date: Fri, 18 Jun 1999 23:35:52 -0700 (PDT) From: "Brian W. Buchanan" <brian@CSUA.Berkeley.EDU> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: proposed secure-level 4 patch Message-ID: <Pine.BSF.4.05.9906182330210.70357-100000@smarter.than.nu> In-Reply-To: <199906190619.QAA28681@cheops.anu.edu.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 19 Jun 1999, Darren Reed wrote: > In some mail from Brian W. Buchanan, sie said: > > > > On Sat, 19 Jun 1999, Frank Tobin wrote: > > > > > Okay, a good friend of mine Kris Wehner has written a patch to implement > > > the proposed securelevel of 4, which would disallow the opening of > > > secure ports (<1024) while in the securelevel of 4. The patch is against > > > 3.2-STABLE kernel, as of within 12 hours. I'd like to hear more comments > > > before I send it as a send-pr. The patch is attached. > > > > Kris's patch blocks binding ports <= 1024, but 1024 is not a secure port. > > The last one is 1023. > > Sigh, this appears to be a mis-use of "securelevel". As securelevel > increases, the system is supposed to be more secure - i.e. more functions > are unavailable, even to root. > > Using a securelevel of -2 for this is `better', but it means your kernel > must boot up with a securelevel of -1 (or less), init scripts change it > to be >= 0 so that init raises it to (at least) 1 once they're all finished. Huh? I think you've responded to the wrong post. The silly suggestion about using securelevel -2 to let anyone bind ports was a few messages back. What the original poster was suggesting was to prevent even root from binding privileged ports once securelevel 4 was set. I'd totally agree with you on the -2 issue, but adding securelevel 4 which the system can be raised to after root-owned processes have bound all the privileged ports they need could be a useful thing to have. -- Brian Buchanan brian@CSUA.Berkeley.EDU -------------------------------------------------------------------------- FreeBSD - The Power to Serve! http://www.freebsd.org daemon(n): 1. an attendant power or spirit : GENIUS 2. the cute little mascot of the FreeBSD operating system To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9906182330210.70357-100000>