From owner-freebsd-security Wed Sep 17 14:07:35 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id OAA11424 for security-outgoing; Wed, 17 Sep 1997 14:07:35 -0700 (PDT) Received: from cyrus.watson.org (robert@AMALTHEA.RES.CMU.EDU [128.2.91.57]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id OAA11411 for ; Wed, 17 Sep 1997 14:07:26 -0700 (PDT) Received: from localhost (robert@localhost) by cyrus.watson.org (8.8.5/8.8.5) with SMTP id RAA03135; Wed, 17 Sep 1997 17:04:40 -0400 (EDT) Date: Wed, 17 Sep 1997 17:04:40 -0400 (EDT) From: Robert Watson Reply-To: Robert Watson To: Sean Kelly cc: security@FreeBSD.ORG Subject: Re: schg flag... In-Reply-To: <3420092B.7B59AA48@fsl.noaa.gov> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk On Wed, 17 Sep 1997, Sean Kelly wrote: > The schg flag can't be changed when the system is running in securelevel > 1 or 2. See init(1) for more details. > > According to that man page, the securelevel is usually set in /etc/rc > during bootup. A quick grep through /etc/* doesn't contain any > reference to securelevel, though. You could probably add it yourself to > your own rc files, but it'd be nice if there were an /etc/rc.conf entry > for it. The man pages makes reference to the securemode being changed differently by init depending on its initial state: -- If the security level is initially -1, then init leaves it unchanged. Otherwise, init arranges to run the system in level 0 mode while single user and in level 1 mode while multiuser. If level 2 mode is desired while running multiuser, it can be set while single user, e.g., in the startup script /etc/rc, using sysctl(8). -- This seems to imply that perhaps a kernel configuration option could be used to set it initially to 0 instead of -1. So my question is this --- how does the appendonly flag interact with move, newsyslog, etc. Ideally, logged matieral could be added to, but never deleted. However, is this handled by inode, by open file, etc? If I set the appendonly flag on /var/log/messages, it will most likely work in the correct securelevel. If I do a mv messages messages.0, does it move it (only change to the directory reference, not to the file)? How does this work with hard links? If I create a hard link to a syschg'd file in /var/tmp, presumably it retains the same property. Can it no longer be removed by anyone, including superuser? Newsyslog assumes the ability to rename files, create new files, etc. Presumably newsyslog used with the append-only flag would be a bad thing. Also, if you're going to use rc/rc.conf/etc to set securelevel, you need to do a syschg on /etc/rc, /etc/rc.conf, /etc/rc.anythingelsethatrunsbeforerc.local, /bin/sh, the libraries it might or might not be linked against, sysctl itself, etc. Turning on securelevel can disuade people, but will not stop them if you do it wrong -- if all you need to do is reboot the machine to turn it off or set it as your please, this is undesirable. Similarly, every command run by rc is now suspect -- the [ evaluator, mount, ifconfig, etc. A kernel flag makes much more sense. Robert N Watson Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/ Network Administrator, SafePort Network Services http://www.safeport.com/ robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/