From owner-freebsd-security Fri Jan 5 19:32:24 2001 From owner-freebsd-security@FreeBSD.ORG Fri Jan 5 19:32:21 2001 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from hex.databits.net (hex.databits.net [207.29.192.16]) by hub.freebsd.org (Postfix) with SMTP id 3AFDF37B400 for ; Fri, 5 Jan 2001 19:32:21 -0800 (PST) Received: (qmail 14985 invoked by uid 1001); 6 Jan 2001 03:34:26 -0000 Date: Fri, 5 Jan 2001 22:34:26 -0500 From: Pete Fritchman To: Evan S Cc: freebsd-security@FreeBSD.ORG Subject: Re: changing kernsecurelevel Message-ID: <20010105223426.C14203@databits.net> References: <20010105182040.A62789@techometer.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: ; from kaworu@sektor7.ath.cx on Fri, Jan 05, 2001 at 09:30:22PM -0500 Sender: petef@hex.databits.net Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org If you really want to temporarily lower it for an install, you could change your /etc/rc.conf value, reboot, install, change /etc/rc.conf back, reboot. If you modified your source to allow lowering of sercurelevel and then still used it, you'd be destroying any hint of what securelevel does for you. -pete ++ 05/01/01 21:30 -0500 - Evan S: >I know this may seem crazy. But, I _want_ to be able to lower the secure >level. What part of the soruce would I need to edit in order to fix this? > >I have some special circumstances.. I run a public root-access machine. > >Thanks, > >Evan Sarmiento (kaworu@sektor7.ath.cx) >http://sekt7.org/es > >On Fri, 5 Jan 2001, Erick Mechler wrote: > >> You can't change the securelevel to anything lower without rebooting >> the machine, but you can raise it. If you could lower it using some >> userland command, it won't really be that secure, no? >> >> >From the securelevel manpage: >> >> The kernel runs with four different levels of security. Any super-user >> process can raise the security level, but no process can lower it. >> >> The securelevel definitions are also on the same manpage. >> >> Regards, >> Erick >> >> At Fri, Jan 05, 2001 at 08:49:21PM -0800, Peter Brezny said this: >> :: How can I change the sysctl kern.securelevel from 2 to -1 without rebooting >> :: the machine. >> :: >> :: I've run into problems installing new kernels with a kernelsecure level of >> :: 2, but so far, the only way I've figured out to change the kernel secure >> :: level is to modify rc.conf, changing the secure level and rebooting the >> :: machine. >> :: >> :: How do i accomplish this without a reboot, or, if i am going at it all >> :: wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2? >> :: >> :: TIA >> :: >> :: Peter Brezny >> :: SysAdmin Services Inc. >> :: >> :: >> :: >> :: To Unsubscribe: send mail to majordomo@FreeBSD.org >> :: with "unsubscribe freebsd-security" in the body of the message >> >> >> To Unsubscribe: send mail to majordomo@FreeBSD.org >> with "unsubscribe freebsd-security" in the body of the message >> > > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message -- Pete Fritchman Databits Network Services, Inc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message