From owner-freebsd-hackers Fri Nov 7 12:21:27 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id MAA20758 for hackers-outgoing; Fri, 7 Nov 1997 12:21:27 -0800 (PST) (envelope-from owner-freebsd-hackers) Received: from sax.sax.de (sax.sax.de [193.175.26.33]) by hub.freebsd.org (8.8.7/8.8.7) with SMTP id MAA20749 for ; Fri, 7 Nov 1997 12:21:14 -0800 (PST) (envelope-from j@uriah.heep.sax.de) Received: (from uucp@localhost) by sax.sax.de (8.6.12/8.6.12-s1) with UUCP id VAA10090 for freebsd-hackers@freefall.FreeBSD.org; Fri, 7 Nov 1997 21:21:08 +0100 Received: (from j@localhost) by uriah.heep.sax.de (8.8.7/8.8.5) id VAA03629; Fri, 7 Nov 1997 21:16:36 +0100 (MET) Message-ID: <19971107211636.RD30963@uriah.heep.sax.de> Date: Fri, 7 Nov 1997 21:16:36 +0100 From: j@uriah.heep.sax.de (J Wunsch) To: freebsd-hackers@freefall.FreeBSD.org Subject: Re: root - can root do an asm("cli")? References: <199711070955.KAA27835@gil.physik.rwth-aachen.de> X-Mailer: Mutt 0.60_p2-3,5,8-9 Mime-Version: 1.0 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) In-Reply-To: <199711070955.KAA27835@gil.physik.rwth-aachen.de>; from Christoph Kukulies on Nov 7, 1997 10:55:19 +0100 Sender: owner-freebsd-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk As Christoph Kukulies wrote: > Is there a difference between what the kernel can do vs. what > a root process can do with regard to priviliged instructions? Sure. > In particular: can a root process do an asm("cli"); and thus > block the whole system? Only by opening /dev/io. > Now someone tells me, root can do everything and can even do > that. Root always can do everything, by one or the other method. If you leave out the /dev/io security hole, well, write an LKM and load it, and voila!, it'll be part of the kernel. Things are different in FreeBSD iff securelevel > 0. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)