Date: Sun, 1 Jun 2003 17:31:56 -0400 From: Rory Arms <rorya@TrueStep.com> To: freebsd-current@freebsd.org Subject: Re: installing kernel with securelevel set to 2 Message-ID: <781BFFBC-9478-11D7-B397-000502D78289@TrueStep.com>
next in thread | raw e-mail | index | archive | help
I think I answered my own question. The kernel isn't installed with immutable flags to begin with -- So, my question is, why is this? I thought the advantage of making the kernel immutable was to better protect the system if root was compromised? I searched the archives regarding this, but found nothing that related to it. -rory > From: Rory Arms <rorya@TrueStep.com> > Date: Sun Jun 1, 2003 17:07:53 US/Eastern > To: freebsd-current@freebsd.org > Subject: installing kernel with securelevel set to 2 > X-Mailer: Apple Mail (2.552) > > FreeBSD-current@ > > I just tried installing a kernel after compiling May 31st source and > figured I would have to reboot to a lower securelevel, as I'm running > with kern.securelevel set to 2. However, it slipped my mind and i've > noticed it installed anyhow. Has this behavior changed? I thought that > the kernel file (/boot/kernel/kernel) and its modules could not be > replaced at that securelevel? Note: I'm currently running an April 6th > -CURRENT. Also, all filesystems are UFS1, currently. > > As you can see, it installed kernel just fine for some reason. In the > past, if the machine was running in secure mode it would stop at this > point: > > [...] > cd /usr/obj/usr/src/sys/TSERVER; MAKEOBJDIRPREFIX=/usr/obj > MACHINE_ARCH=i386 MACHINE=i386 CPUTYPE=i686 > GROFF_BIN_PATH=/usr/obj/usr/src/i386/legacy/usr/bin > GROFF_FONT_PATH=/usr/obj/usr/src/i386/legacy/usr/share/groff_font > GROFF_TMAC_PATH=/usr/obj/usr/src/i386/legacy/usr/share/tmac > PATH=/usr/obj/usr/src/i386/legacy/usr/sbin:/usr/obj/usr/src/i386/ > legacy/usr/bin:/usr/obj/usr/src/i386/legacy/usr/games:/usr/obj/usr/ > src/i386/usr/sbin:/usr/obj/usr/src/i386/usr/bin:/usr/obj/usr/src/i386/ > usr/games:/sbin:/bin:/usr/sbin:/usr/bin make KERNEL=kernel install > thiskernel=`sysctl -n kern.bootfile` ; if [ "$thiskernel" = > /boot/kernel.old/kernel ] ; then chflags -R noschg /boot/kernel ; rm > -rf /boot/kernel ; else if [ -d /boot/kernel.old ] ; then chflags > -R noschg /boot/kernel.old ; rm -rf /boot/kernel.old ; fi ; mv > /boot/kernel /boot/kernel.old ; if [ "$thiskernel" = > /boot/kernel/kernel ] ; then sysctl > kern.bootfile=/boot/kernel.old/kernel ; fi; fi > kern.bootfile: /boot/kernel/kernel -> /boot/kernel.old/kernel > mkdir -p /boot/kernel > install -p -m 555 -o root -g wheel kernel /boot/kernel > cd /usr/src/sys/modules; > MAKEOBJDIRPREFIX=/usr/obj/usr/src/sys/TSERVER/modules > KMODDIR=/boot/kernel MACHINE=i386 make install > [...] > > Looks like it was able to remove the immutable flag w/o a problem, > which isn't supposed to be allowed at securelevel 1 or 2. > > From securelevel(8): > > 1 Secure mode - the system immutable and system append-only > flags may > not be turned off; disks for mounted file systems, > /dev/mem, and > /dev/kmem may not be opened for writing; kernel modules (see > kld(4)) may not be loaded or unloaded. > > 2 Highly secure mode - same as secure mode, plus disks may > not be > opened for writing (except by mount(2)) whether mounted or > not. > This level precludes tampering with file systems by > unmounting > them, but also inhibits running newfs(8) while the system > is multi- > user. > > Here's how I checked the securelevel: > # sysctl kern.securelevel > kern.securelevel: 2 > # > > Also, checking the flags on "/boot/kernel/kernel" after the "make -j2 > kernelinstall" there appears to be no flags set on the kernel file or > any of its modules: > > # ls -lo /boot/kernel/kernel > -r-xr-xr-x 1 root wheel - 3553557 Jun 1 16:24 /boot/kernel/kernel > # > > Odd, no? Is there a new sysctl(8) directive that I'm missing? Maybe > its a bug that's been fixed since Apr. 6th. > > Thanks, > > -rory > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?781BFFBC-9478-11D7-B397-000502D78289>