Clever Monkey wrote:

>Should OpenBSD plug this (local) hole, where someone could "modify"
>(actually, replace for the lifetime of the mount) immutable files?
>Perhaps






*** I concur with the above. I would have used "definitely" instead of
perhaps.





>, but there is no proven vector for privilege escalation in
>OpenBSD (according to the article you cite), which is usually a
>threshold for security fixes in my experience.






*** Root compromises are always possible , isn't there still such a
risk using X on i386 machines?




>This is not as cut and dry as you are making it out to be.


>What would you rather use: a proven, modern tool like systrace or an
>hacky afterthought like securelevels.






*** New doesn't mean proven and Microsoft Vista is modern (cringe).





>Now that we have something that
>replaces securelevels, the user base should be encouraged to move away
>from it because it does not really do what it was designed to do.







*** I don't think we do have anything that can replace securelevels. I have
had a look at the systrace man page. It seems to be a very strange construct ,
with /bin/systrace , /dev/systrace , and who knows what else. Any replacement
for securelevels should be kernel-based IMO. And conceptually easy to understand
, and easy to use. We already have the templates in the securelevel and chflags
man pages.






>This is true for Linux, OpenBSD, FreeBSD and NetBSD.






*** Not knowing all that much about (SE)Linux , it appears to constrain some
of the powers of root , which is probably worthy of study.





>Bottom line: if you need real multi-user, multi-level security you
>cannot rely on securelevels. Use the appropriate tool for the job.






*** I doubt that systrace is an appropriate tool to replace securelevels.
For the purpose of replacing something like securelevel 2 with files
protected with schg or sappnd , I simply no longer think that systrace
is capable of this. Securelevels should be kernel-based and systrace
seems to be flawed , and seems to require all controlled programs and calls
to be listed verbosely. It seems to me that it would offer the same
level of security that Default Allow policies and individual Block rules do
for firewall rulesets. One can never list everything fully enough to be truly
secure.


Regards , An Odd User.