Subject: Re: The reason for securelevel
To: <>
From: Chapman Flack <nblists@anastigmatix.net>
List: tech-kern
Date: 01/26/2006 14:44:29
[snip]
> what the hell are you talking about? again, the base for your
> assumptions is *wrong*.
[snippity]
> no, it is not; you are just seeing things very very very wrong
> and assuming things. please take this FUD elsewhere.
[snip]
> kern.securelevel sucks. the security in 4.4bsd sucks. kvm(3) sucks.
> *YOU* stick to them.

For a while, this looked like a sober thread where people of
different viewpoints were seriously and respectfully discussing
serious security-related kernel changes. Then this, which does
not increase my confidence in any revision being proposed.

Please. The stakes are high enough, and the issues thorny enough,
that even viewpoints other than your own may be valuable in whole
or in part. What makes this stuff challenging (whether as separate
knobs or just as a matter of pinning down the proper set of
operations needing to be conditioned on the single securelevel knob)
is that they are far from orthogonal in practice. VMS had, IIRC,
32 privileges or so, and you could group several of them into a set
you might as well call "root-complete" because if you had any one
in the set you could as a SMoP accomplish whatever any of the
others purportedly controlled. Sometimes you had to look at the
problem slantwise to see how, but that's the way people writing
exploits do look. If you're talking security with somebody who
seems to be looking slantwise from your point of view ... thank them.

-Chap