Subject: Re: kauth, securelevel, and "run levels"
To: None <firstname.lastname@example.org>
From: Steven M. Bellovin <email@example.com>
Date: 03/25/2006 17:28:17
On Sat, 25 Mar 2006 17:22:30 -0500, Thor Lancelot Simon
> On Sat, Mar 25, 2006 at 05:17:08PM -0500, Steven M. Bellovin wrote:
> > That's where we disagree. I'm concerned not just with assurance for
> > the programmer, but for the administrator of such a system. With the
> > new scheme, when you set certain flags, do you have a clear
> > understanding what is and isn't possible for an attacker? Securelevel
> > can be described in a few paragraphs; you know what you're getting
> > (modulo code bugs, but that's not what I'm talking about here).
> My suggestion is that we ship knob-settings that give you _exactly_
> what we used to (claim to ("modulo bugs") ;-)) give you with securelevel 1.
> If you decide to go under the hood and change those sets of knob-settings,
> then, yes, you're on your own to get it right. But what _we_ ship should
> do just what the old code did, from the administrator's point of view.
That's certainly a good starting point, but of course if that's all
people can do there was no point to the change. My concern is about
the comprehensibility of other combinations of settings.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb