Date: Fri, 5 Jan 2001 23:15:00 -0500 (EST) From: <scanner@jurai.net> To: Peter Brezny <peter@sysadmin-inc.com> Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel Message-ID: <Pine.BSF.4.21.0101052308080.7351-100000@sasami.jurai.net> In-Reply-To: <001101c0779c$096cc260$46010a0a@sysadmininc.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 5 Jan 2001, Peter Brezny wrote: > How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > the machine. You cant :-) Hence the word "secure" level. If you could what would be the point of it? > I've run into problems installing new kernels with a kernelsecure level of > 2, but so far, the only way I've figured out to change the kernel secure > level is to modify rc.conf, changing the secure level and rebooting the > machine. You are correct. Once the system is booted into a securelevel whether its -1, 0, 1 , 2 or 3 it cant be lowered. Any root owned process can RAISE it but nothing can lower it. > How do i accomplish this without a reboot, or, if i am going at it all > wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? You can't. The kernel will not install because the chflags when installing a kernel always add the immutable flag to it. So if you run in SL 2 you cant overwrite the kernel in place unless you boot to a SL of -1 or 0. chflags set on a file or device cannot be changed or altered at all in SL 1+. Man init for more info on this. ============================================================================= -Chris Watson (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek Work: scanner@jurai.net | Open Systems Inc., Wellington, Kansas Home: scanner@deceptively.shady.org | http://open-systems.net ============================================================================= WINDOWS: "Where do you want to go today?" LINUX: "Where do you want to go tommorow?" BSD: "Are you guys coming or what?" ============================================================================= irc.openprojects.net #FreeBSD -Join the revolution! ICQ: 20016186 To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.21.0101052308080.7351-100000>