Date: Thu, 10 Sep 1998 13:14:13 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Bruce Evans <bde@zeta.org.au> Cc: mark@grondar.za, tlambert@primenet.com, current@FreeBSD.ORG, max@wide.ad.jp Subject: Re: unremovable schg flag? Message-ID: <Pine.BSF.3.96.980910130954.27670C-100000@fledge.watson.org> In-Reply-To: <199809100925.TAA09021@godzilla.zeta.org.au>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 10 Sep 1998, Bruce Evans wrote: > >> > After struggling for some time, I went into the single user mode > >> > and clri'd that file. > > This shows that securelevel 1 isn't actually secure. (Starting from > the uninitialized shell variable kern_securelevel, /etc/rc sets the > kernel securelevel to 0. init(8) knows too much about securelevels > and bumps this to 1. Level 1 is a little bit insecure.) FreeBSD with secure levels is not secure, as the disk layout and binaries are not architected with securelevels as a goal. I have some discussion on my web page, but the main issue is that any binary run (or related config file) in a low secure level must be protected against modification by processes in a higher secure level. For example, to protect the securelevel setting mechanism: 1) init must be schg 2) /sbin holding init must be schg 3) /kernel mus tbe schg 3) /bin/sh (the shell used to run rc) must be schg 4) /etc/rc must be schg 5) Any bins run by /etc/rc before bumping the securelevel (including sysctl) must be schg You can pretty much apply this to any file touched prior to the bump. Similarly, remounting file systems should be prohibited above a certain securelevel. I believe directly modifying disk devices is already prohibited in high securelevels. However, there is no good way to protect single-user mode, as that assumes local console access to the machine. And there is little if anything one can do to protect against a local user (except to protect against the uninitiated :). Robert N Watson Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org http://www.watson.org/~robert/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.980910130954.27670C-100000>