From owner-freebsd-current Wed May 28 23:04:45 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id XAA27001 for current-outgoing; Wed, 28 May 1997 23:04:45 -0700 (PDT) Received: from gw.softec.sk (gw.softec.sk [194.196.214.34]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id XAA26993 for ; Wed, 28 May 1997 23:04:40 -0700 (PDT) Received: (from mail@localhost) by gw.softec.sk (8.8.5/8.8.5) id IAA04561 for ; Thu, 29 May 1997 08:04:33 +0200 (CEST) Received: from softec.softec.sk(193.87.236.1) by gw.softec.sk via smap (V2.0) id xma004557; Thu, 29 May 97 08:04:28 +0200 Received: from cleopatra.softec.sk by softec.softec.sk id aa02436; 29 May 97 8:09 CET Received: by cleopatra.softec.sk with SMTP (Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5) id <01BC6C07.0351E1C0@cleopatra.softec.sk>; Thu, 29 May 1997 08:05:03 +0200 Message-ID: From: "Basti, Zoltan" To: "'freebsd-current@freebsd.org'" Subject: RE: Lowering securelevel with gdb Date: Thu, 29 May 1997 08:05:02 +0200 X-Mailer: Microsoft Exchange Server Internet Mail Connector Version 4.0.993.5 Encoding: 18 TEXT Sender: owner-current@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > >> A while ago there has been a discussion on freebsd-security >> about the possibility of lowering securelevel by attaching to init >> with gdb. Looking at the -current sources it seems to me it >> is still not fixed. > >I think the entire idea that PID 1 is allowed to lower the securelevel >basically defeats the securelevel conception. It should go away. If >you run a machine with raised securelevel, it's not undue to require a >reboot first in order to perform maintenance tasks -- you gotta sit on >the console anyway. This would plug all current and potential >future security holes in this respect once and for all. I agree 100%. A really elegant solution. > >