docs/104403: man security should mention that the usage of the X Window Systen is only possible with kern.securitylevel=-1

Lowell Gilbert lgusenet at be-well.ilk.org
Sun Nov 12 14:57:58 UTC 2006 

lothrandil at n00b.apagnu.se (Niclas Zeising) writes:

> The following reply was made to PR docs/104403; it has been noted by GNATS.
>
> From: Niclas Zeising <lothrandil at n00b.apagnu.se>
> To: Giorgos Keramidas <keramida at freebsd.org>
> Cc: bug-followup at freebsd.org,  doc at freebsd.org
> Subject: Re: docs/104403: man security should mention that the usage of the
>  X Window Systen is only possible with kern.securitylevel=-1
> Date: Sun, 12 Nov 2006 14:55:42 +0100
>
>  Giorgos Keramidas wrote:
>  > On 2006-11-12 10:52, Niclas Zeising <lothrandil at n00b.apagnu.se> wrote:
>  >> Giorgos Keramidas wrote:
>  >>>> With kern.securitylevel=0 or higher it is not possible to start X.
>  >>> You can still use `xdm' or a similar way of starting X11, because
>  >>> it will be started by init(8) before the securelevel is raised by
>  >>> the `/etc/rc.d/securelevel' script.
>  >>>
>  >>> I don't think this is worth mentioning in security(7), because
>  >>> we can't possibly document *ALL* the possible things that can
>  >>> fail with a bumped securelevel.
>  >> It it probably worth mentioning somewhere, as it will avoid some foot
>  >> shooting from unaware users. One can discuss though that if the extra
>  >> security provided by the security level is needed, maybe the system
>  >> shouldn't run X in the first place.
>  > 
>  > I'm not sure.
>  > 
>  > Should we also mention that you can't "installworld" with an elevated
>  > securelevel, because chflags may fail to work and cause problems?
>  > Should we also mention that not being able to change the firewall rules
>  > can be tricky, if you are testing your new firewall ruleset, and get
>  > locked out?
>  > 
>  > There are *MANY* ways in which an elevated securelevel can turn around
>  > and bite you in the ass, but do we _really_ have to enumerate them all
>  > in mind-boggingly detail?  ... in a single manpage?
>  > 
>  > I really don't know.
>  > 
>  
>  I believe they should be documented somewhere, to avoid questions.

Sure, but they already are.

Given that both the X and installworld issues have been in the FAQ for
years, I don't think adding MORE documentation will help.

More information about the freebsd-doc mailing list