Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
To: Thor Lancelot Simon <tls@rek.tjls.com>
From: Andrew Brown <atatat@atatdot.net>
List: tech-kern
Date: 10/24/2000 17:44:42
>It is certainly flexible enough for what Jon said he wanted to do. Since
>you haven't indicated what you want to do, it's pretty hard to tell if new
>functionality is required or not.
i had also suggested (a) no more manipulation of the routing table
from userspace (ie, anything except "route get"), (b) no more
interface manipulation (ie, adding or removing addresses, netmasks,
etc) and (c) making the entire sysctl mib read-only.
i haven't looked, but i don't think those are covered by secure level
2.
finely grained grained control is a good thing, as are large red
switches.
--
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org * "ah! i see you have the internet
twofsonet@graffiti.com (Andrew Brown) that goes *ping*!"
andrew@crossbar.com * "information is power -- share the wealth."