From nobody Fri Oct 27 02:34:28 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SGmvr6zMfz4xcFW for ; Fri, 27 Oct 2023 02:34:32 +0000 (UTC) (envelope-from void@f-m.fm) Received: from out2-smtp.messagingengine.com (out2-smtp.messagingengine.com [66.111.4.26]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SGmvr0tszz4Sps for ; Fri, 27 Oct 2023 02:34:32 +0000 (UTC) (envelope-from void@f-m.fm) Authentication-Results: mx1.freebsd.org; dkim=pass header.d=f-m.fm header.s=fm3 header.b=SNNAdpYX; dkim=pass header.d=messagingengine.com header.s=fm3 header.b="G Bl/9Pa"; spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 66.111.4.26 as permitted sender) smtp.mailfrom=void@f-m.fm; dmarc=pass (policy=none) header.from=f-m.fm Received: from compute6.internal (compute6.nyi.internal [10.202.2.47]) by mailout.nyi.internal (Postfix) with ESMTP id 2359B5C01EA for ; Thu, 26 Oct 2023 22:34:31 -0400 (EDT) Received: from mailfrontend1 ([10.202.2.162]) by compute6.internal (MEProxy); Thu, 26 Oct 2023 22:34:31 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc :content-transfer-encoding:content-type:content-type:date:date :from:from:in-reply-to:in-reply-to:message-id:mime-version :references:reply-to:sender:subject:subject:to:to; s=fm3; t= 1698374071; x=1698460471; bh=AVuEh2Rm22+homMWkWUQcu4/7dz72SshYGG N757wV5s=; b=SNNAdpYXYRhy8TZ8LqB78gjA4Tb2XiEaY6iaKFiIW556qbZlWrF PPhHHBBubN3iWMZMRt2UeAFDMHnRd4LvXDZUA3gdMEX5aChASBwoPXVP2z7HHmYK KmEakQHjJbCpvD1HO64srgQwVyHoqJiM0y6XGu+jvN35UNw187Xa5t+qyScUXW6+ 6WNfjgoR8cAmrAvKWh/xDBCEiUY0rN5qXYIM4/kol8oqC7qM2TTn2KKDRIPxiqpy TOyDOwv1/53wEYLTk41MrzSDGzXWtpaPG3GW8/lAFHlzguEGlqd1Y74mirW+83KK a10rUGVYeANw+fQwX39SIdBlgxI9bYT11xA== DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d= messagingengine.com; h=cc:content-transfer-encoding:content-type :content-type:date:date:feedback-id:feedback-id:from:from :in-reply-to:in-reply-to:message-id:mime-version:references :reply-to:sender:subject:subject:to:to:x-me-proxy:x-me-proxy :x-me-sender:x-me-sender:x-sasl-enc; s=fm3; t=1698374071; x= 1698460471; bh=AVuEh2Rm22+homMWkWUQcu4/7dz72SshYGGN757wV5s=; b=G Bl/9PasVn8CJnGpkJsWix4jA2eqnPNwfKrZflUgDDJddkZLGBiebPKSLxKMoAge0 ngffF2D3UFZdmYWaVR1NKn19RwcN3qYrYAKu8wPbTGIZVOyswEjg/bfab6NfdIc7 5XldOCMFQ03DnnKYpdUbeUL/4CLzZO58ZXw8/0xlVdMLzqTvYTuOP0MFJXb0gQXX bu/GGzg8N3SnK0uwNnMF8NHWptxlgpyKtsnrJUy6dSvdBzob162oE2c5pXLgFWuE X7bXviI5XcgQj+/39YxrGnNHA8It+J18bKiqBb70tsib6bLmwQ4HHpZTxr//8wPn pH1V+1ZCv/1hEVtpRP0oQ== X-ME-Sender: X-ME-Received: X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrleefgdeivdcutefuodetggdotefrodftvf curfhrohhfihhlvgemucfhrghsthforghilhdpqfgfvfdpuffrtefokffrpgfnqfghnecu uegrihhlohhuthemuceftddtnecunecujfgurhepfffhvffukfhfgggtugfgjgesthekre dttddtudenucfhrhhomhepvhhoihguuceovhhoihgusehfqdhmrdhfmheqnecuggftrfgr thhtvghrnhepkedvjeeitdejheekieekkeeiuddtffdvudetheevgeeijeehtdfffeegge ektdefnecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehmrghilhhfrhhomhep vhhoihgusehfqdhmrdhfmh X-ME-Proxy: Feedback-ID: i2541463c:Fastmail Received: by mail.messagingengine.com (Postfix) with ESMTPA for ; Thu, 26 Oct 2023 22:34:30 -0400 (EDT) Date: Fri, 27 Oct 2023 03:34:28 +0100 From: void To: freebsd-security@freebsd.org Subject: Re: securelevel 1 Message-ID: Mail-Followup-To: freebsd-security@freebsd.org References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> <86ttqd12y1.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1; format=flowed Content-Disposition: inline Content-Transfer-Encoding: 8bit In-Reply-To: <86ttqd12y1.fsf@ltc.des.no> X-Spamd-Result: default: False [-3.78 / 15.00]; DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-0.999]; MID_RHS_NOT_FQDN(0.50)[]; DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none]; R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3]; R_SPF_ALLOW(-0.20)[+ip4:66.111.4.26]; RWL_MAILSPIKE_GOOD(-0.10)[66.111.4.26:from]; MIME_GOOD(-0.10)[text/plain]; RCVD_IN_DNSWL_LOW(-0.10)[66.111.4.26:from]; NEURAL_HAM_SHORT(-0.08)[-0.079]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FROM_HAS_DN(0.00)[]; ARC_NA(0.00)[]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:19151, ipnet:66.111.4.0/24, country:US]; RCVD_COUNT_THREE(0.00)[3]; TO_DN_NONE(0.00)[]; FREEMAIL_FROM(0.00)[f-m.fm]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+]; MIME_TRACE(0.00)[0:+]; FROM_EQ_ENVFROM(0.00)[]; FREEMAIL_ENVFROM(0.00)[f-m.fm]; RCVD_VIA_SMTP_AUTH(0.00)[] X-Rspamd-Queue-Id: 4SGmvr0tszz4Sps X-Spamd-Bar: --- On Thu, Oct 26, 2023 at 11:36:22PM +0200, Dag-Erling Smørgrav wrote: >void writes: >> In order to accomplish what I'd like, I understand that I'd need to set +schg >> on the individual logs, then set the securelevel afterwards and reboot. > >If you set the log file +schg, it can't be written to at all. That's >obviously not what you want. Yes, I'm sorry; I meant to type +sappnd >If you set it +sappnd, it can be written to, and newsyslog will be able >to rotate it; an attacker with superuser privileges will also be able to >replace it with a doctored file. Yes. But if sappend is set on the required files, and then securelevel=1 is set, then nothing can change the flag while the system is multiuser. That is, if I'm understanding correctly? So, on such a system, if I understand correctly, newsyslog would need to be turned off. Am I correct in understanding that securelevel could be lowered to -1 while in single user mode (for eg the purposes of upgrading); one would have to comment out the securelevel variables in rc.conf before booting multiuser? newsyslog could be run on that occasion, then securelevel set to 1 again. >There is no way to allow one without the other. The usual solution is >to log to a remote machine. That's planned. -- From nobody Sun Oct 29 22:21:04 2023 X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SJW8K24QJz4yHK1 for ; Sun, 29 Oct 2023 22:21:21 +0000 (UTC) (envelope-from roam@ringlet.net) Received: from irmo.kmail.bg (mx.kmail.bg [IPv6:2a01:8740:ffff:ffdc::2]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 4SJW8J21h7z4jdl for ; Sun, 29 Oct 2023 22:21:20 +0000 (UTC) (envelope-from roam@ringlet.net) Authentication-Results: mx1.freebsd.org; dkim=none; spf=pass (mx1.freebsd.org: domain of roam@ringlet.net designates 2a01:8740:ffff:ffdc::2 as permitted sender) smtp.mailfrom=roam@ringlet.net; dmarc=none Received: from straylight.ringlet.net (unknown [93.152.132.21]) by irmo.kmail.bg (Postfix) with ESMTPSA id C26F940064 for ; Mon, 30 Oct 2023 00:21:07 +0200 (EET) Received: from roam (uid 1000) (envelope-from roam@ringlet.net) id 194071d by straylight.ringlet.net (DragonFly Mail Agent v0.13); Mon, 30 Oct 2023 00:21:04 +0200 Date: Mon, 30 Oct 2023 00:21:04 +0200 From: Peter Pentchev To: freebsd-security@freebsd.org Subject: Re: securelevel 1 Message-ID: Mail-Followup-To: freebsd-security@freebsd.org References: <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> <86ttqd12y1.fsf@ltc.des.no> List-Id: Security issues List-Archive: https://lists.freebsd.org/archives/freebsd-security List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-security@freebsd.org X-BeenThere: freebsd-security@freebsd.org MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="+KrF+88Xv48gcpmN" Content-Disposition: inline In-Reply-To: X-Spamd-Result: default: False [-5.40 / 15.00]; SIGNED_PGP(-2.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; NEURAL_HAM_MEDIUM(-1.00)[-1.000]; NEURAL_HAM_SHORT(-1.00)[-0.996]; R_SPF_ALLOW(-0.20)[+mx]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; DMARC_NA(0.00)[ringlet.net]; ASN(0.00)[asn:57344, ipnet:2a01:8740::/32, country:BG]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]; R_DKIM_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; MID_RHS_MATCH_FROMTLD(0.00)[]; RCPT_COUNT_ONE(0.00)[1]; FREEFALL_USER(0.00)[roam]; ARC_NA(0.00)[]; RCVD_COUNT_TWO(0.00)[2]; FROM_HAS_DN(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org]; TO_MATCH_ENVRCPT_ALL(0.00)[]; TO_DN_NONE(0.00)[]; RCVD_TLS_ALL(0.00)[] X-Rspamd-Queue-Id: 4SJW8J21h7z4jdl X-Spamd-Bar: ----- --+KrF+88Xv48gcpmN Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Fri, Oct 27, 2023 at 03:34:28AM +0100, void wrote: > On Thu, Oct 26, 2023 at 11:36:22PM +0200, Dag-Erling Sm=C3=B8rgrav wrote: > > void writes: > > > In order to accomplish what I'd like, I understand that I'd need to s= et +schg > > > on the individual logs, then set the securelevel afterwards and reboo= t. > >=20 > > If you set the log file +schg, it can't be written to at all. That's > > obviously not what you want. >=20 > Yes, I'm sorry; I meant to type +sappnd >=20 > > If you set it +sappnd, it can be written to, and newsyslog will be able > > to rotate it; an attacker with superuser privileges will also be able to > > replace it with a doctored file. >=20 > Yes. But if sappend is set on the required files, and then securelevel=3D1 > is set, then nothing can change the flag while the system is multiuser. > That is, if I'm understanding correctly? >=20 > So, on such a system, if I understand correctly, newsyslog would need to = be > turned off. newsyslog does not need to change the file; it renames the file, then it tells syslog to start a new one (one that does not exist until that point in time), and then newsyslog may also read the renamed file, compress the data, write it to yet another new file, etc. So setting +sappnd on a logfile should not prevent newsyslog from processing it. However, the fact that the file is renamed and a brand new one is created in its place probably means that the new logfile will *not* have the +sappnd flag set. G'luck, Peter --=20 Peter Pentchev roam@ringlet.net roam@debian.org pp@storpool.com PGP key: http://people.FreeBSD.org/~roam/roam.key.asc Key fingerprint 2EE7 A7A5 17FC 124C F115 C354 651E EFB0 2527 DF13 --+KrF+88Xv48gcpmN Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQIzBAABCgAdFiEELuenpRf8EkzxFcNUZR7vsCUn3xMFAmU+2soACgkQZR7vsCUn 3xNL3xAAsyl6lyyoUdX9K86W6cpus4qgEe3oOiCYoSeC91jyephUMsp425oqCoDx wsftAfq92plctQfNHPPBReQVmMcbyC22UQ4/nZWJrIvfNAzYgxI/7bsbP4jNL1SP k1VV3880h4ssa+VqxRvrVyvzzUN/zWgXqpxKHAyEAQmqOq4psDdQYOAwLNb3A1rH l+W173Iy5GBxSsuc3p+qam9h6t9/q5RBFedAfXLYM0axltvwZwCigoV7mo1Plkwc /IRqrVwbm1ExnX2qgGSSET2TbWG9tiFnqFvsF3WC5uFXtk/BIf1MoRea1713GLB6 5m/npvg+OsHZ4yAQi/vx/zBDikkcIiCn6+b9c+Kny/wXNDnOlflbTQgykMDwlcwN vvto+1u82UrA10Zfpq3Msa0sOCodgVdmYWhi8JuJAzjELtWyPZTgeBANnTie92Gm cjXXq0Rw6SCmYQwEbqDi1KDXxezduiqcmAlqkA0+lTK9mVxVv0bwt/2SO/Nd7ZhN /jc+Drh3J1bYVPpbP7rj+lkWV1lPsirOh1kRBjfyyHwZAq0wVleeyJhrsXCzQhO0 OAbD11Gg7LZ7N31cUklQbHtqY9/HtL0cCxNg1uWy1hr52irkYoKQVcikWjKlEArG /bAfA7JSbrueFBK9TO/5mHy0LEPEMWenOkP10c1SwvzHGRBcqgY= =uUL9 -----END PGP SIGNATURE----- --+KrF+88Xv48gcpmN--