On Sat, Jan 21, 2023 at 10:43:08AM +, Stuart Henderson wrote:
> Test machines are less of a problem, because they're test machines.
Sure, we're talking about two different scenarios.
> Machines where things have been enabled to debug a problem and then
> forgotten are a bigger issue.
> I'm
On 2023/01/20 18:14, Crystal Kolipe wrote:
> On Fri, Jan 20, 2023 at 01:15:29PM -0700, Theo de Raadt wrote:
> > Todd C. Miller wrote:
> > > I wonder if it makes sense to have a version of sysctl.conf that
> > > only gets used for the next reboot and then is removed, kind of
> > > like /etc/rc.firs
On Fri, Jan 20, 2023 at 01:15:29PM -0700, Theo de Raadt wrote:
> Todd C. Miller wrote:
> > I wonder if it makes sense to have a version of sysctl.conf that
> > only gets used for the next reboot and then is removed, kind of
> > like /etc/rc.firsttime. Maybe call it /etc/sysctl.once.
>
> Well you
Todd C. Miller wrote:
> On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote:
>
> > During this mimmmutable and xonly work, I keep finding test machines where
> > I enabled kern.allowkmem, and have to disable it. Sometimes weeks later.
> > Both kern.allowkmem and securelevel disabling are
On Fri, 20 Jan 2023 11:29:15 -0700, "Theo de Raadt" wrote:
> During this mimmmutable and xonly work, I keep finding test machines where
> I enabled kern.allowkmem, and have to disable it. Sometimes weeks later.
> Both kern.allowkmem and securelevel disabling are dangerous, especially in
> our wor
I don't argue for it to be undefined behaviour.
It just is a bad idea to put ideas into people's minds. In this case
the idea vaguely is 'oh i should disable securelevel, i can do more with
my machine'.
During this mimmmutable and xonly work, I keep finding test machines where
I enabled kern.all
Hi Stuart,
Stuart Henderson wrote on Fri, Jan 20, 2023 at 08:50:48AM +:
> On 2023/01/18 12:46, Theo de Raadt wrote:
>> But you should not start a sentence with also.
>> Also you should not start a sentence with but.
>>
>> Not the best english. jmc can weight in perhaps.
>> Jan Klemkow wro
On 2023/01/18 12:46, Theo de Raadt wrote:
> But you should not start a sentence with also.
> Also you should not start a sentence with but.
>
> Not the best english. jmc can weight in perhaps.
>
> Jan Klemkow wrote:
> > .Pp
> > Even with sufficient file system permissions,
> > these devices
But you should not start a sentence with also.
Also you should not start a sentence with but.
Not the best english. jmc can weight in perhaps.
Jan Klemkow wrote:
> On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote:
> > > at least this tool works for me:
> >
> > Surely you have kern
On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote:
> > at least this tool works for me:
>
> Surely you have kern.allowkmem=1 set.
This diff should phrase it correctly.
ok?
Thanks,
Jan
Index: man4.alpha/mem.4
===
RCS fil
On Tue, Jan 17, 2023 at 11:02:07PM +0100, Theo Buehler wrote:
> > at least this tool works for me:
>
> Surely you have kern.allowkmem=1 set.
Yes, I do.
> at least this tool works for me:
Surely you have kern.allowkmem=1 set.
On Tue, Jan 17, 2023 at 04:23:48PM -0500, Bryan Steele wrote:
> On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote:
> > Hi,
> >
> > This diff adjust the manpage of mem(4) to be more accurate. You can
> > open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
> >
> > kern/sp
On Tue, Jan 17, 2023 at 09:37:24PM +0100, Jan Klemkow wrote:
> Hi,
>
> This diff adjust the manpage of mem(4) to be more accurate. You can
> open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
>
> kern/spec_vnops.c:
>
> if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
17.01.2023 20:37, Jan Klemkow пишет:
> Hi,
>
> This diff adjust the manpage of mem(4) to be more accurate. You can
> open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
securelevel(7) still says
1 Secure mode
...
- /dev/mem and /dev/kmem cannot be op
Hi,
This diff adjust the manpage of mem(4) to be more accurate. You can
open(2) mem(4) in securelevel 1 in readonly mode, but not writable.
kern/spec_vnops.c:
if (ap->a_cred != FSCRED && (ap->a_mode & FWRITE)) {
...
/*
* When running in s
16 matches
Mail list logo