Date: Wed, 17 Sep 1997 17:04:40 -0400 (EDT) From: Robert Watson <robert@cyrus.watson.org> To: Sean Kelly <kelly@fsl.noaa.gov> Cc: security@FreeBSD.ORG Subject: Re: schg flag... Message-ID: <Pine.BSF.3.96.970917165831.2986E-100000@cyrus.watson.org> In-Reply-To: <3420092B.7B59AA48@fsl.noaa.gov>
next in thread | previous in thread | raw e-mail | index | archive | help
On Wed, 17 Sep 1997, Sean Kelly wrote:
> The schg flag can't be changed when the system is running in securelevel
> 1 or 2. See init(1) for more details.
>
> According to that man page, the securelevel is usually set in /etc/rc
> during bootup. A quick grep through /etc/* doesn't contain any
> reference to securelevel, though. You could probably add it yourself to
> your own rc files, but it'd be nice if there were an /etc/rc.conf entry
> for it.
The man pages makes reference to the securemode being changed differently
by init depending on its initial state:
--
If the security level is initially -1, then init leaves it unchanged.
Otherwise, init arranges to run the system in level 0 mode while single
user and in level 1 mode while multiuser. If level 2 mode is desired
while running multiuser, it can be set while single user, e.g., in the
startup script /etc/rc, using sysctl(8).
--
This seems to imply that perhaps a kernel configuration option could be
used to set it initially to 0 instead of -1.
So my question is this --- how does the appendonly flag interact with
move, newsyslog, etc. Ideally, logged matieral could be added to, but
never deleted. However, is this handled by inode, by open file, etc? If
I set the appendonly flag on /var/log/messages, it will most likely work
in the correct securelevel. If I do a mv messages messages.0, does it
move it (only change to the directory reference, not to the file)? How
does this work with hard links? If I create a hard link to a syschg'd
file in /var/tmp, presumably it retains the same property. Can it no
longer be removed by anyone, including superuser?
Newsyslog assumes the ability to rename files, create new files, etc.
Presumably newsyslog used with the append-only flag would be a bad thing.
Also, if you're going to use rc/rc.conf/etc to set securelevel, you need
to do a syschg on /etc/rc, /etc/rc.conf,
/etc/rc.anythingelsethatrunsbeforerc.local, /bin/sh, the libraries it
might or might not be linked against, sysctl itself, etc. Turning on
securelevel can disuade people, but will not stop them if you do it wrong
-- if all you need to do is reboot the machine to turn it off or set it as
your please, this is undesirable. Similarly, every command run by rc is
now suspect -- the [ evaluator, mount, ifconfig, etc. A kernel flag makes
much more sense.
Robert N Watson
Junior, Logic+Computation, Carnegie Mellon University http://www.cmu.edu/
Network Administrator, SafePort Network Services http://www.safeport.com/
robert@fledge.watson.org rwatson@safeport.com http://www.watson.org/~robert/
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.970917165831.2986E-100000>