Subject: Re: kauth, securelevel, and "run levels"
To: Steven M. Bellovin <email@example.com>
From: Thor Lancelot Simon <firstname.lastname@example.org>
Date: 03/25/2006 17:22:30
On Sat, Mar 25, 2006 at 05:17:08PM -0500, Steven M. Bellovin wrote:
> That's where we disagree. I'm concerned not just with assurance for
> the programmer, but for the administrator of such a system. With the
> new scheme, when you set certain flags, do you have a clear
> understanding what is and isn't possible for an attacker? Securelevel
> can be described in a few paragraphs; you know what you're getting
> (modulo code bugs, but that's not what I'm talking about here).
My suggestion is that we ship knob-settings that give you _exactly_
what we used to (claim to ("modulo bugs") ;-)) give you with securelevel 1.
If you decide to go under the hood and change those sets of knob-settings,
then, yes, you're on your own to get it right. But what _we_ ship should
do just what the old code did, from the administrator's point of view.
Thor Lancelot Simon email@example.com
"We cannot usually in social life pursue a single value or a single moral
aim, untroubled by the need to compromise with others." - H.L.A. Hart