From owner-freebsd-stable Fri Jun 22 5:12:44 2001 Delivered-To: freebsd-stable@freebsd.org Received: from mailg.telia.com (mailg.telia.com [194.22.194.26]) by hub.freebsd.org (Postfix) with ESMTP id 14D3337B401 for ; Fri, 22 Jun 2001 05:12:39 -0700 (PDT) (envelope-from ertr1013@student.uu.se) Received: from d1o913.telia.com (d1o913.telia.com [195.252.44.241]) by mailg.telia.com (8.11.2/8.11.0) with ESMTP id f5MCCbV12968 for ; Fri, 22 Jun 2001 14:12:37 +0200 (CEST) Received: from ertr1013.student.uu.se (h185n2fls20o913.telia.com [212.181.163.185]) by d1o913.telia.com (8.8.8/8.8.8) with SMTP id OAA07938 for ; Fri, 22 Jun 2001 14:12:36 +0200 (CEST) Received: (qmail 39049 invoked by uid 1001); 22 Jun 2001 12:12:05 -0000 Date: Fri, 22 Jun 2001 14:12:05 +0200 From: Erik Trulsson To: Trond =?iso-8859-1?Q?Endrest=F8l?= Cc: FreeBSD stable Subject: Re: init and securelevel Message-ID: <20010622141205.A38969@student.uu.se> Mail-Followup-To: Trond =?iso-8859-1?Q?Endrest=F8l?= , FreeBSD stable References: Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: User-Agent: Mutt/1.3.19i Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Fri, Jun 22, 2001 at 01:30:18PM +0200, Trond Endrest=F8l wrote: > I run a server with securelevel set to 1. >=20 > According to the man page for init, when securelevel is set to > something greater than 0, then init arrange it so that securelevel is > 0 when running single user, and then set to whatever you have in your > /etc/rc.conf file when running multi user. Almost. It is 0 when *booting* into single-user mode. If you first go to multi-user mode and then drop into single-user mode the securelevel will not be lowered. >=20 > I noticed that this is no longer the case, shouldn't the man page be > updated to reflect the new situation? >=20 The manpage describes the situation correctly. Note the part that says: Any super-user process can raise the security level, but no process can lower it. init is a (super-user) process and can therefore raise the securelevel but not lower it. > Why is init no longer allowed to decrease the securelevel? >=20 It has never been allowed to do that. The *only* way to decrease the securelevel is to reboot. > It's rather inconvenient to edit /etc/rc.conf and set > kern_securelevel_enable to NO and subsequently reboot the machine in > order to do a buildworld followed by an installworld. Yes, it is inconvenient. Security and convenience are usually mutually exclusive concepts. >=20 > This is by the way on RELENG_3 (3.5-STABLE). >=20 > Cvsup ran today just prior to today's first attempt to do a > buildworld. After editing the /etc/rc.conf and rebooting, the > buildworld runs just fine. >=20 --=20 Erik Trulsson ertr1013@student.uu.se To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message