From owner-freebsd-security Fri Oct 15 9:54:23 1999 Delivered-To: freebsd-security@freebsd.org Received: from mercure.IRO.UMontreal.CA (mercure.IRO.UMontreal.CA [132.204.24.67]) by hub.freebsd.org (Postfix) with ESMTP id 48B9414D95 for ; Fri, 15 Oct 1999 09:54:08 -0700 (PDT) (envelope-from beaupran@IRO.UMontreal.CA) Received: from blm30.IRO.UMontreal.CA (IDENT:root@blm30.IRO.UMontreal.CA [132.204.21.76]) by mercure.IRO.UMontreal.CA (8.9.1/8.9.3) with ESMTP id MAA07124; Fri, 15 Oct 1999 12:53:41 -0400 Received: (from beaupran@localhost) by blm30.IRO.UMontreal.CA (8.9.1/8.9.1) id MAA03439; Fri, 15 Oct 1999 12:53:40 -0400 Full-Name: Antoine Beaupre X-Authentication-Warning: blm30.IRO.UMontreal.CA: beaupran set sender to beaupran@blm30.IRO.UMontreal.CA using -f From: Antoine Beaupre MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-ID: <14343.23571.679909.243732@blm30.IRO.UMontreal.CA> Date: Fri, 15 Oct 1999 12:53:39 -0400 (EDT) To: Mike Nowlin Cc: "Rashid N. Achilov" , freebsd-security@FreeBSD.ORG Subject: Re: kern.securelevel and X References: X-Mailer: VM 6.75 under Emacs 20.3.1 Reply-To: Spidey Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org The reference is man init: " The kernel runs with four different levels of security. Any superuser process can raise the security level, but only init can lower it. The security levels are: -1 Permanently insecure mode - always run the system in level 0 mode. This is the default initial value. 0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions. 1 Secure mode - the system immutable and system append-only flags may not be turned off; disks for mounted filesystems, /dev/mem, and /dev/kmem may not be opened for writing. 2 Highly secure mode - same as secure mode, plus disks may not be opened for writing (except by mount(2)) whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) can not be changed and dummynet configuration can not be adjusted. " (by the web manpages, 3.1-release) So that's exactly it. X cannot write to mem or kmem. I thought this was in securelevel 2, though. I guess there is no way to run X in secure level > 0, right? --- Big Brother told Mike Nowlin to write, at 00:39 of October 15: > > > Why I can't start X with kern.securelevel more than -1? > > > > When I attempt start X with kern.securelevel 1 or 2, startx crashed with > > "KBENBIO (or like that): Operation not permitted" > > It's been a while since I read something about this, but let's see how > good my memory is -- corrections welcomed.... :) > > When running with a >0 securelevel, X can't access the video memory due to > security restrictions (probably something about letting a non-kernel > process access any kind of I/O or memory port directly), so the X server > can't talk to the video card -- boom. > > Am I right? > > mike > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message -- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir Lofofora To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message