From owner-freebsd-hackers Wed Aug 7 12:56:10 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id MAA03624 for hackers-outgoing; Wed, 7 Aug 1996 12:56:10 -0700 (PDT) Received: from tracer.tracertech.com (tracer.tracertech.com [205.147.164.65]) by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id MAA03533 for ; Wed, 7 Aug 1996 12:55:57 -0700 (PDT) Received: from lex.tracertech.com (lex.tracertech.com [205.147.164.70]) by tracer.tracertech.com (8.6.12/8.6.12) with ESMTP id PAA11753; Wed, 7 Aug 1996 15:55:33 -0400 Received: from localhost (localhost [127.0.0.1]) by lex.tracertech.com (8.6.12/8.6.12) with SMTP id PAA01494; Wed, 7 Aug 1996 15:55:31 -0400 Message-Id: <199608071955.PAA01494@lex.tracertech.com> X-Authentication-Warning: lex.tracertech.com: Host localhost didn't use HELO protocol To: Michael Hancock cc: FreeBSD Hackers Subject: Re: kern_mib.c:int securelevel = -1; Date: Wed, 07 Aug 1996 15:55:29 -0400 From: James da Silva Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > It looks like the assignment of securelevel was put into kern_mib.c from > kern_sysctl.c. This is ok I guess, but I'd like to have an option > INSECURE that we can turn off... > > #ifdef INSECURE > int securelevel = -1 > #else > int securelevel > #endif > > Here's the a comment from ... By the way, the comment is wrong on one important point: the disposition of this variable in bss vs data will be irrelevant to a cracker. If the kernel is not immutable, the variable can be patched either way. I still haven't heard of someone actually investigating and documenting all the things necessary to make securelevel real, as opposed to just giving people a false sense of extra security. EG, for starters you'd have to make every file that is touched in single-user mode immutable, and delay starting up all your net daemons until securelevel goes past 0. I'm not sure if that's all. Jaime ............................................................................... : jds@tracertech.com / Tracer Technologies, Inc. \ Stand on my shoulders, : : James da Silva / Mass Storage Software Solutions \ not on my toes. :