From owner-freebsd-security  Sun Jun  9 13:45:06 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id NAA19792
          for security-outgoing; Sun, 9 Jun 1996 13:45:06 -0700 (PDT)
Received: from halloran-eldar.lcs.mit.edu (halloran-eldar.lcs.mit.edu [18.26.0.159])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id NAA19762
          for <freebsd-security@freebsd.org>; Sun, 9 Jun 1996 13:44:58 -0700 (PDT)
Received: by halloran-eldar.lcs.mit.edu; (5.65/1.1.8.2/19Aug95-0530PM)
	id AA08601; Sun, 9 Jun 1996 16:44:52 -0400
Date: Sun, 9 Jun 1996 16:44:52 -0400
From: Garrett Wollman <wollman@lcs.mit.edu>
Message-Id: <9606092044.AA08601@halloran-eldar.lcs.mit.edu>
To: Brian Tao <taob@io.org>
Cc: FREEBSD-SECURITY-L <freebsd-security@freebsd.org>
Subject: Effects of kern.securelevel >= 0
In-Reply-To: <Pine.NEB.3.92.960609115619.11452G-100000@zap.io.org>
References: <Pine.NEB.3.92.960609115619.11452G-100000@zap.io.org>
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

<<On Sun, 9 Jun 1996 12:13:24 -0400 (EDT), Brian Tao <taob@io.org> said:

>     According to /sys/sys/systm.h, single user mode should be
> associated with kern.securelevel=0 and multiuser mode with
> kern.securelevel=1.  Should the default /etc/rc have the appropriate
> sysctl call?

No.  It is automatically increased by init if it starts out as >=0.
Like the comment in the file says, you should delete the initializer
in the source file if you want to enable security features.

>     Also, are there any caveats to running an ISP shell login server
> with securelevel 2?  I recall that an old version of XFree86 would
> complain at level 1+ because it seemed to want to write to /dev/mem
> (VGA memory access?).  I can't think of any side effects (no user
> should be fiddling with raw disk devices anyway).

Unfortunately, there are still a number of other holes, like /dev/io,
that would need to be closed before this was a truly ``safe''
environment.

>     My main concern was the ability to turn off schg/sappnd flags at
> level -1 or 0.  I suppose, however, that if someone was able to
> execute commands as root, that person could just add commands to
> /etc/rc to do their dirty deeds and reboot the machine... :(

That's why, when setting up a secure system, you have to make /etc/rc,
and all the files it depends on, immutable, and all the important
system directories append-only.

-GAWollman

--
Garrett A. Wollman   | Shashish is simple, it's discreet, it's brief. ... 
wollman@lcs.mit.edu  | Shashish is the bonding of hearts in spite of distance.
Opinions not those of| It is a bond more powerful than absence.  We like people
MIT, LCS, ANA, or NSA| who like Shashish.  - Claude McKenzie + Florent Vollant