On Thu, Jul 14, 2005 at 08:42:04AM -0400, Steven M. Bellovin wrote:
> 
> As for the default security level of 1 -- for anyone who wants to run 
> X, that's simply not possible.  I understand why, of course, but it 
> doesn't help with everything else. 

That's not actually true.  It's perfectly possible to run X at security
level 1.  It's not possible to use the drivers for some newer chipsets
that basically don't work if you don't let the X server program their
DMA engines or access other resources outside the standard VGA space.

Besides, it's possible -- even easy -- to construct a chroot jail in
which none of these "make a device node and wreak havoc" tricks work,
even at security level 0.  Just follow the simple rule that if a
filesystem is writable, it's mounted nodev -- with null mounts, you
can have as many such filesystems as you like.

What you really want is for all filesystems with executables or device
nodes on them to be mounted r/o, and all other filesystems to be
mounted nodev, noexec.  If you use null mounts to do it, it is easy
to maintain these filesystems from the outside while the system is
running.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky