>    Ah.  It follows then that _every_ binary and script run in single
 >    user mode must be immutable, or there's little point to having
 >    securelevel 1.
 > 
 > That's correct.  Although I suspect we don't want to make it the
 > default, someone should identify all of the naughty bits and create
 > some convenient way for a user to configure their box to be `secure'
 > if they so desire.

Wait, there's more, I think:

There's potentially a big lag between when inetd is started and when
securelevel 1 is set.  Isn't this a window big enough to drive a truck
through?  Extrapolate to taste for other daemons that get started in single
user mode and take input from the net (eg mountd/nfsd).

No amount of immutable bits will save us from this one - these daemons
can't become active until securelevel is set to 1.  

Gack, again.

I wonder if anyone has done the full analysis of what is required to set up
a "secure" "securelevel 1" site?  The designers of the securelevel feature,
presumably, but did they publish? 

Until such a thing is done maybe the thing to do is just turn off the
feature by default, lest it give someone a false fuzzy feeling.

IMO.
Jaime
..............................................................................
:  James da Silva  :  UMCP Computer Science Dept  :  Stand on my shoulders,  :
:  jds@cs.umd.edu  :  http://www.cs.umd.edu/~jds  :  not on my toes.         :