Date: Thu, 8 Aug 1996 01:30:18 +0900 (JST) From: Michael Hancock <michaelh@cet.co.jp> To: FreeBSD Hackers <Hackers@FreeBSD.ORG> Subject: kern_mib.c:int securelevel = -1; Message-ID: <Pine.SV4.3.93.960808011824.7573A-100000@parkplace.cet.co.jp>
next in thread | raw e-mail | index | archive | help
It looks like the assignment of securelevel was put into kern_mib.c from kern_sysctl.c. This is ok I guess, but I'd like to have an option INSECURE that we can turn off... #ifdef INSECURE int securelevel = -1 #else int securelevel #endif Here's the a comment from <sys/systm.h> ... * Security levels are as follows: * -1 permanently insecure mode - always run system in level 0 mode. * 0 insecure mode - immutable and append-only flags make be turned off. * All devices may be read or written subject to permission modes. * 1 secure mode - immutable and append-only flags may not be changed; * raw disks of mounted filesystems, /dev/mem, and /dev/kmem are * read-only. * 2 highly secure mode - same as (1) plus raw disks are always * read-only whether mounted or not. This level precludes tampering * with filesystems by unmounting them, but also inhibits running * newfs while the system is secured. * * In normal operation, the system runs in level 0 mode while single user * and in level 1 mode while multiuser. If level 2 mode is desired while * running multiuser, it can be set in the multiuser startup script * (/etc/rc.local) using sysctl(1). If it is desired to run the system * in level 0 mode while multiuser, initialize the variable securelevel * in /sys/kern/kern_sysctl.c to -1. Note that it is NOT initialized to * zero as that would allow the kernel binary to be patched to -1. * Without initialization, securelevel loads in the BSS area which only * comes into existence when the kernel is loaded and hence cannot be * patched by a stalking hacker. */ Can someone commit this please? Regards, Mike Hancock
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.SV4.3.93.960808011824.7573A-100000>