Re: securelevels
Odhiambo Washington wrote: Hi Brent, Hey Odhiambo Long time no hear! Hope you are good. All good. Why are you asking about this when it is so clearly documented? I know its documented. Having used debian for x amount of years, think its time to add *BSD to my repertoire and too see whats used in the real world / practice. Thanks for your reply. Kind Regards Brent Clark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: securelevels
On Sun, Aug 17, 2008 at 7:03 PM, Brent Clark <[EMAIL PROTECTED]> wrote: > Hi > > I would like to know, in production envs, or anything for that matter, may I > ask how many of you raise the securelevel. > > If so, to what do you raise it to. Hi Brent, Long time no hear! Hope you are good. Why are you asking about this when it is so clearly documented? Anyway, I have never raised securelevel in any of my production boxen since I've never had reasons to. There must be reasons for it and I believe that is what you need to find out, and also find out if your situation warrants such actions. In most cases, I always thought securelevel was for the paranoid only, or to create a flame war - the folks anal about security. Maybe securelevel should be ported to Windows? :-) -- Best regards, Odhiambo WASHINGTON, Nairobi,KE +254733744121/+254722743223 _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ _ "Oh My God! They killed init! You Bastards!" --from a /. post ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
securelevels
Hi I would like to know, in production envs, or anything for that matter, may I ask how many of you raise the securelevel. If so, to what do you raise it to. Kind Regards Brent Clark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: A quick question about X11 and securelevels
On Sun, Aug 28, 2005 at 12:59:36PM +0400, Dmitry Mityugov wrote: > On 8/28/05, Tom Norris <[EMAIL PROTECTED]> wrote: > > I understand the things like not allowing the system clock to change and > > not allowing formatting of filesystems, but I want to know why you can't > > run x11 when you have a securelevel greater than or equal to one. there > > is no _serious_ reason I wish to know, I'm just curious and google keeps > > feeding me tutorials on making my FreeBSD machine furiously hard to > > crack. :) A securelevel >0 prevents /dev/mem and /dev/io to be opened for writing. X need to write to these devices. > Not an exact answer to your question, but securelevel does not > prohibit you from runnung X if it is set after X started (from one of > .x... files in your home directory instead of rc.conf perhaps?) The security level is set with sysctl (kern.securelevel). You must be root to set it. Roland -- R.F.Smith (http://www.xs4all.nl/~rsmith/) Please send e-mail as plain text. public key: http://www.xs4all.nl/~rsmith/pubkey.txt pgpyiFTLoV1Gt.pgp Description: PGP signature
Re: A quick question about X11 and securelevels
On 8/28/05, Tom Norris <[EMAIL PROTECTED]> wrote: > I understand the things like not allowing the system clock to change and > not allowing formatting of filesystems, but I want to know why you can't > run x11 when you have a securelevel greater than or equal to one. there > is no _serious_ reason I wish to know, I'm just curious and google keeps > feeding me tutorials on making my FreeBSD machine furiously hard to > crack. :) Not an exact answer to your question, but securelevel does not prohibit you from runnung X if it is set after X started (from one of .x... files in your home directory instead of rc.conf perhaps?) -- Dmitry Mityugov, St. Petersburg, Russia I ignore all messages with confidentiality statements "We live less by imagination than despite it" - Rockwell Kent, "N by E" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
A quick question about X11 and securelevels
I understand the things like not allowing the system clock to change and not allowing formatting of filesystems, but I want to know why you can't run x11 when you have a securelevel greater than or equal to one. there is no _serious_ reason I wish to know, I'm just curious and google keeps feeding me tutorials on making my FreeBSD machine furiously hard to crack. :) Thanks, Tom ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Xdm & Securelevels revisited
> > securelevel is raised before xdm can start which causes fireworks. > just a thought: if you raise the securelevel after xdm has started and it > dies, would you get fireworks again? > I'm leaving the text consoles open for that very reason. If xdm dies, tries to restart (it will try every 30 seconds as init will sleep) I can drop to single user and disable xdm. The only problem with this is that I won't then be able to get X back without rebooting to securelevel -1. Correct me if I am wrong but all the documentation seems to suggest that the securelevel cannot be lowered even in single user mode? I am relying on xdm to be stable, which it does seem to be (I have used it at the default securelevel on other machines). -- PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 pgph5xJLQOWE8.pgp Description: PGP signature
Re: Xdm & Securelevels revisited
On Friday 28 January 2005 01:13, markzero wrote: > securelevel is raised before xdm can start which causes fireworks. just a thought: if you raise the securelevel after xdm has started and it dies, would you get fireworks again? -- /Xian "Common sense is the collection of prejudices acquired by age eighteen." Albert Einstein ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Xdm & Securelevels revisited
Some time ago, I mused upon the possibility of running Xorg in a securelevel > 0 environment (and I forgot to thank Lowell Gilbert for his advice, sorry!). http://lists.freebsd.org/pipermail/freebsd-questions/2004-December/069141.html I actually tried it on a test machine about five minutes ago and hit a problem. If I specify securelevel 0 (raised to 1 automatically in /etc/rc.conf, the securelevel is raised before xdm can start which causes fireworks. (getty repeating too quickly on port %s, sleeping) Where would be the best place to raise the securelevel after xdm has started? Thanks, Mark -- PGP: http://www.darklogik.org/pub/pgp/pgp.txt B776 43DC 8A5D EAF9 2126 9A67 A7DA 390F DEFF 9DD1 pgpLV6U7HzSW4.pgp Description: PGP signature
Re: Xorg & xdm & securelevels
Mark <[EMAIL PROTECTED]> writes: > I would like to push my securelevel up to 1 in order to better enforce > my security policy (protecting chflags, kernel modules etc) but this > of course would break Xorg as it requires access to /dev/io. I've > heard that it's possible to run Xorg via xdm whilst the system is > booting at securelevel 0 and have the securelevel raised afterwards, > effectively allowing X to live in a securelevel > 0 environment. Sure. I don't bother for my own machines, because I'm very careful about authentication methods, but it's certainly > How painful is this to implement? Am I likely to run into any > major problems? It's trivial to implement, and will work fine. If I remember correctly, setting the securelevel by the normal rc.conf method and enabling xdm from ttys(5) should do it. > I've also heard that it's possible to remove the SUID bit from X > by using xdm, but that's probably for another thread... Yep, completely different topic. It's true that it's possible, but if you're in a raised securelevel, it's also not going to gain you much. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Xorg & xdm & securelevels
Hello. I realise this may have been covered before and that this may not be the correct list (freebsd-x11 seemed to be more about developement rather than configuration) but anyway: I would like to push my securelevel up to 1 in order to better enforce my security policy (protecting chflags, kernel modules etc) but this of course would break Xorg as it requires access to /dev/io. I've heard that it's possible to run Xorg via xdm whilst the system is booting at securelevel 0 and have the securelevel raised afterwards, effectively allowing X to live in a securelevel > 0 environment. How painful is this to implement? Am I likely to run into any major problems? I've also heard that it's possible to remove the SUID bit from X by using xdm, but that's probably for another thread... Any comments, advice, pointers to articles or screams of distaste are welcomed. Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"