From owner-freebsd-current Wed Oct 2 15:00:11 1996 Return-Path: owner-current Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA10060 for current-outgoing; Wed, 2 Oct 1996 15:00:11 -0700 (PDT) Received: from shogun.tdktca.com ([206.26.1.21]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA10048 for ; Wed, 2 Oct 1996 15:00:05 -0700 (PDT) Received: from shogun.tdktca.com (daemon@localhost) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id RAA20666 for ; Wed, 2 Oct 1996 17:00:03 -0500 (CDT) Received: from fa.tdktca.com (bsd.fa.tdktca.com [163.49.131.129]) by shogun.tdktca.com (8.7.2/8.7.2) with ESMTP id RAA20659 for ; Wed, 2 Oct 1996 17:00:02 -0500 (CDT) Received: (from alex@localhost) by fa.tdktca.com (8.7.5/8.6.12) id RAA19676; Wed, 2 Oct 1996 17:01:07 -0500 (CDT) Date: Wed, 2 Oct 1996 17:01:07 -0500 (CDT) From: Alex Nash To: Michael Hancock cc: Garrett Wollman , current@freebsd.org Subject: Re: Immutable flags (was: Re: WARNING: botched ld.so commit! :-() In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk On Thu, 3 Oct 1996, Michael Hancock wrote: > On Wed, 2 Oct 1996, Garrett Wollman wrote: > > > Ummm, INITIAL_IMMUTABLE_LEVEL? This doesn't mean anything to me. > > It was just a suggestion for a kernel config opt. > > BSDI and NetBSD uses INSECURE, but this convention would surprise many > people. I would like to have an option, I don't really care what it is > called. > > /kernel is marked immutable. I'd like to be able to configure systems > such that you can't change the flags unless you are in single user mode > even if you're root. I believe you can do this by booting up with securelevel == 0 (as opposed to the default of -1). When the system switches to multi-user mode, init upgrades securelevel to 1, preventing the immutable flags from being changed. When downgraded to single-user mode, init changes securelevel back to 0, allowing you to alter the immutable flags. Alex