Subject: Re: CVS commit: src/etc
To: Peter Postma <>
From: Steven M. Bellovin <>
List: tech-userlevel
Date: 04/06/2005 13:22:02
In message <>, Peter Postma writes:

>You might not think this improves security, but I think it does.

I agree, though /etc/security should be fixed so that it doesn't 
complain about the "_" character.
>And why should we do this different than OpenBSD? Their pflogd(8) has
>been developed in a way to reduce potentional security issues, why
>should we ignore that?
There are often lots of reasons to disagree with them; this isn't one 
of them.  We really want to limit the damages that can be done by any 
single malfunctioning program.

A more interesting question is whether or not there's a better way, 
since lots of special-purpose logins create their own manageability 
headaches.  Perhaps something with systrace?

		--Prof. Steven M. Bellovin,