From owner-freebsd-security Fri Jan 5 18:32: 0 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 18:31:56 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from faith.cs.utah.edu (faith.cs.utah.edu [155.99.198.108]) by hub.freebsd.org (Postfix) with ESMTP id 90B4937B400 for ; Fri, 5 Jan 2001 18:31:55 -0800 (PST) Received: (from danderse@localhost) by faith.cs.utah.edu (8.9.3/8.9.3) id TAA24752; Fri, 5 Jan 2001 19:31:35 -0700 (MST) Message-Id: <200101060231.TAA24752@faith.cs.utah.edu> Subject: Re: changing kernsecurelevel To: kaworu@sektor7.ath.cx (Evan S) Date: Fri, 5 Jan 2001 19:31:35 -0700 (MST) Cc: emechler@techometer.net (Erick Mechler), peter@sysadmin-inc.com (Peter Brezny), freebsd-security@FreeBSD.ORG In-Reply-To: from "Evan S" at Jan 05, 2001 09:30:22 PM From: "David G. Andersen" X-Mailer: ELM [version 2.5 PL2] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: danderse@cs.utah.edu Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Grep the source, luke. :) /usr/src/sys/kern/kern_mib.c if (level < securelevel) return (EPERM); If you remove these two lines, you'll demolish the point of securelevels.. er, you'll accomplish what you want. :-) -Dave Lo and behold, Evan S once said: > > I know this may seem crazy. But, I _want_ to be able to lower the secure > level. What part of the soruce would I need to edit in order to fix this? > > I have some special circumstances.. I run a public root-access machine. > > Thanks, > > Evan Sarmiento (kaworu@sektor7.ath.cx) > http://sekt7.org/es > > On Fri, 5 Jan 2001, Erick Mechler wrote: > > > You can't change the securelevel to anything lower without rebooting > > the machine, but you can raise it. If you could lower it using some > > userland command, it won't really be that secure, no? > > > > >From the securelevel manpage: > > > > The kernel runs with four different levels of security. Any super-user > > process can raise the security level, but no process can lower it. > > > > The securelevel definitions are also on the same manpage. > > > > Regards, > > Erick > > > > At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: > > :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting > > :: the machine. > > :: > > :: I've run into problems installing new kernels with a kernelsecure level of > > :: 2, but so far, the only way I've figured out to change the kernel secure > > :: level is to modify rc.conf, changing the secure level and rebooting the > > :: machine. > > :: > > :: How do i accomplish this without a reboot, or, if i am going at it all > > :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? > > :: > > :: TIA > > :: > > :: Peter Brezny > > :: SysAdmin Services Inc. > > :: > > :: > > :: > > :: To Unsubscribe: send mail to majordomo@FreeBSD.org > > :: with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > > with "unsubscribe freebsd-security" in the body of the message > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > -- work: dga@lcs.mit.edu me: dga@pobox.com MIT Laboratory for Computer Science http://www.angio.net/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message