From owner-freebsd-security  Fri Jan  5 20:15:13 2001
From owner-freebsd-security@FreeBSD.ORG  Fri Jan  5 20:15:11 2001
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from sasami.jurai.net (sasami.jurai.net [63.67.141.99])
	by hub.freebsd.org (Postfix) with ESMTP id 45DBC37B400
	for <freebsd-security@FreeBSD.ORG>; Fri,  5 Jan 2001 20:15:11 -0800 (PST)
Received: from localhost (scanner@localhost)
	by sasami.jurai.net (8.9.3/8.8.7) with ESMTP id XAA08034;
	Fri, 5 Jan 2001 23:15:01 -0500 (EST)
Date: Fri, 5 Jan 2001 23:15:00 -0500 (EST)
From: <scanner@jurai.net>
To: Peter Brezny <peter@sysadmin-inc.com>
Cc: freebsd-security@FreeBSD.ORG
Subject: Re: changing kernsecurelevel
In-Reply-To: <001101c0779c$096cc260$46010a0a@sysadmininc.com>
Message-ID: <Pine.BSF.4.21.0101052308080.7351-100000@sasami.jurai.net>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Fri, 5 Jan 2001, Peter Brezny wrote:

> How can I change the sysctl kern.securelevel from 2 to -1 without rebooting
> the machine.

You cant :-) Hence the word "secure" level. If you could what would be the
point of it? 

> I've run into problems installing new kernels with a kernelsecure level of
> 2, but so far, the only way I've figured out to change the kernel secure
> level is to modify rc.conf, changing the secure level and rebooting the
> machine.

You are correct. Once the system is booted into a securelevel whether its
-1, 0, 1 , 2 or 3 it cant be lowered. Any root owned process can RAISE it
but nothing can lower it.

> How do i accomplish this without a reboot, or, if i am going at it all
> wrong, how do i rebuild the kernel of a machine with a kern.securelevel=2?

You can't. The kernel will not install because the chflags when installing
a kernel always add the immutable flag to it. So if you run in SL 2 you
cant overwrite the kernel in place unless you boot to a SL of -1 or 0.
chflags set on a file or device cannot be changed or altered at all in SL
1+. Man init for more info on this.

=============================================================================
-Chris Watson         (316) 326-3862 | FreeBSD Consultant, FreeBSD Geek 
Work:              scanner@jurai.net | Open Systems Inc., Wellington, Kansas
Home:  scanner@deceptively.shady.org | http://open-systems.net
=============================================================================
WINDOWS: "Where do you want to go today?"
LINUX: "Where do you want to go tommorow?"
BSD: "Are you guys coming or what?"
=============================================================================
irc.openprojects.net #FreeBSD -Join the revolution!
ICQ: 20016186



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message