Date: Fri, 22 Jun 2001 14:12:05 +0200 From: Erik Trulsson <ertr1013@student.uu.se> To: Trond =?iso-8859-1?Q?Endrest=F8l?= <trond@ramstind.gtf.ol.no> Cc: FreeBSD stable <freebsd-stable@freebsd.org> Subject: Re: init and securelevel Message-ID: <20010622141205.A38969@student.uu.se> In-Reply-To: <Pine.BSF.4.31.0106221310430.63400-100000@ramstind.gtf.ol.no> References: <Pine.BSF.4.31.0106221310430.63400-100000@ramstind.gtf.ol.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jun 22, 2001 at 01:30:18PM +0200, Trond Endrest=F8l wrote: > I run a server with securelevel set to 1. >=20 > According to the man page for init, when securelevel is set to > something greater than 0, then init arrange it so that securelevel is > 0 when running single user, and then set to whatever you have in your > /etc/rc.conf file when running multi user. Almost. It is 0 when *booting* into single-user mode. If you first go to multi-user mode and then drop into single-user mode the securelevel will not be lowered. >=20 > I noticed that this is no longer the case, shouldn't the man page be > updated to reflect the new situation? >=20 The manpage describes the situation correctly. Note the part that says: Any super-user process can raise the security level, but no process can lower it. init is a (super-user) process and can therefore raise the securelevel but not lower it. > Why is init no longer allowed to decrease the securelevel? >=20 It has never been allowed to do that. The *only* way to decrease the securelevel is to reboot. > It's rather inconvenient to edit /etc/rc.conf and set > kern_securelevel_enable to NO and subsequently reboot the machine in > order to do a buildworld followed by an installworld. Yes, it is inconvenient. Security and convenience are usually mutually exclusive concepts. >=20 > This is by the way on RELENG_3 (3.5-STABLE). >=20 > Cvsup ran today just prior to today's first attempt to do a > buildworld. After editing the /etc/rc.conf and rebooting, the > buildworld runs just fine. >=20 --=20 <Insert your favourite quote here.> Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010622141205.A38969>