On Sat, 25 Mar 2006 17:22:30 -0500, Thor Lancelot Simon
<tls@rek.tjls.com> wrote:

> On Sat, Mar 25, 2006 at 05:17:08PM -0500, Steven M. Bellovin wrote:
> >
> > That's where we disagree.  I'm concerned not just with assurance for
> > the programmer, but for the administrator of such a system.  With the
> > new scheme, when you set certain flags, do you have a clear
> > understanding what is and isn't possible for an attacker?  Securelevel
> > can be described in a few paragraphs; you know what you're getting
> > (modulo code bugs, but that's not what I'm talking about here).
> 
> My suggestion is that we ship knob-settings that give you _exactly_
> what we used to (claim to ("modulo bugs") ;-)) give you with securelevel 1.
> 
> If you decide to go under the hood and change those sets of knob-settings,
> then, yes, you're on your own to get it right.  But what _we_ ship should
> do just what the old code did, from the administrator's point of view.

That's certainly a good starting point, but of course if that's all
people can do there was no point to the change.  My concern is about
the comprehensibility of other combinations of settings.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb