From owner-freebsd-questions  Wed Jun  6  4:30:35 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from gwdu60.gwdg.de (gwdu60.gwdg.de [134.76.98.60])
	by hub.freebsd.org (Postfix) with ESMTP id 3421337B406
	for <freebsd-questions@FreeBSD.ORG>; Wed,  6 Jun 2001 04:30:32 -0700 (PDT)
	(envelope-from kheuer@gwdu60.gwdg.de)
Received: from localhost (kheuer@localhost)
	by gwdu60.gwdg.de (8.11.3/8.9.3) with ESMTP id f56BUPe01795;
	Wed, 6 Jun 2001 13:30:25 +0200 (CEST)
	(envelope-from kheuer@gwdu60.gwdg.de)
Date: Wed, 6 Jun 2001 13:30:25 +0200 (CEST)
From: Konrad Heuer <kheuer@gwdu60.gwdg.de>
To: Neil Darlow <neil@darlow.co.uk>
Cc: Questions <freebsd-questions@FreeBSD.ORG>
Subject: Re: Disabling kern.securelevel?
In-Reply-To: <20010606.11174600@ideal.darlow.co.uk>
Message-ID: <20010606132458.T1764-100000@gwdu60.gwdg.de>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=X-UNKNOWN
Content-Transfer-Encoding: QUOTED-PRINTABLE
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG


On Wed, 6 Jun 2001, Neil Darlow wrote:

> I understand the benefits of running with kern.securelevel > 0 but
> I am finding that it gets in the way when applying patches.
>
> Is there any way, other than reboot, to change kern.securelevel back
> to 0?

No, the secure level can't be lowered. It would be nice to be able to
lower it in single user mode but I guess the kernel has no chance to
figure out without doubt whether the system is in single user mode or
not.

> I've been doing some security updates recently and I've had to do
> the following:
>
> 1) Disable securelevel in /etc/rc.conf
> 2) Reboot
> 3) Install patches (for files with schg set)
> 4) Enable securelevel in /etc/rc.conf
> 5) Reboot
>
> Two reboots seems excessive. I can understand the need to do one if
> libc or the kernel has been updated.
>
> Is there another way?

You don't kneed to change /etc/rc.conf. Reboot the system into single user
mode by rebooting and interrupting the boot countdown `Booting [kernel] in
=2E..  seconds ...' via pressing the space bar and enter the command:

=09boot -s

Mount all local file systems by

=09mount -a -t ufs

and apply the patches and type

=09exit

to start into multi user mode.

Konrad Heuer                                    Personal Bookmarks:
Gesellschaft f=FCr wissenschaftliche
   Datenverarbeitung mbH G=D6ttingen              http://www.freebsd.org
Am Fa=DFberg, D-37077 G=D6ttingen                   http://www.daemonnews.o=
rg
Deutschland (Germany)

kheuer@gwdu60.gwdg.de


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message