From owner-freebsd-hackers Wed Aug 7 13:45:32 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id NAA07143 for hackers-outgoing; Wed, 7 Aug 1996 13:45:32 -0700 (PDT) Received: from mexico.brainstorm.eu.org (root@mexico.brainstorm.eu.org [193.56.58.253]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id NAA07105 for ; Wed, 7 Aug 1996 13:45:28 -0700 (PDT) Received: from brasil.brainstorm.eu.org (brasil.brainstorm.eu.org [193.56.58.33]) by mexico.brainstorm.eu.org (8.7.5/8.7.3) with ESMTP id WAA30615 for ; Wed, 7 Aug 1996 22:45:22 +0200 Received: (from uucp@localhost) by brasil.brainstorm.eu.org (8.6.12/8.6.12) with UUCP id WAA16958 for freebsd-hackers@freebsd.org; Wed, 7 Aug 1996 22:45:01 +0200 Received: (from roberto@localhost) by keltia.freenix.fr (8.8.Alpha.7/keltia-uucp-2.9) id VAA21484; Wed, 7 Aug 1996 21:44:11 +0200 (MET DST) Message-Id: <199608071944.VAA21484@keltia.freenix.fr> Date: Wed, 7 Aug 1996 21:44:11 +0200 From: roberto@keltia.freenix.fr (Ollivier Robert) To: freebsd-hackers@freebsd.org Subject: Re: Q:Meanings of kern.securelevel values In-Reply-To: <130FC92520A@netadmin.lp.lviv.ua>; from Adrian Pavlykevych on Aug 6, 1996 14:02:03 +0200 References: <130FC92520A@netadmin.lp.lviv.ua> X-Mailer: Mutt 0.38 Mime-Version: 1.0 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk According to Adrian Pavlykevych: > Can someone from kernel whizards list valid values for > kern.securelevel, with their possible applications and implications? Extract from init(8): process can raise the security level, but only init can lower it. Secu- rity levels are defined as follows: -1 Permanently insecure mode - always run system in level 0 mode. 0 Insecure mode - immutable and append-only flags may be turned off. All devices may be read or written subject to their permissions. 1 Secure mode - immutable and append-only flags may not be changed; disks for mounted filesystems, /dev/mem, and /dev/kmem are read- only. 2 Highly secure mode - same as secure mode, plus disks are always read-only whether mounted or not. This level precludes tampering with filesystems by unmounting them, but also inhibits running newfs(8) while the system is multi-user. Normally, the system runs in level 0 mode while single user and in level 1 mode while multiuser. If the level 2 mode is desired while running multiuser, it can be set in the startup script /etc/rc using sysctl(8). If it is desired to run the system in level 0 mode while multiuser, the administrator must build a kernel with the variable securelevel defined in the file /sys/compile/MACHINE/param.c and initialize it to -1. > installation (firewall, router) and what steps in OS configuration are > necessary to use it (changing file permitions, immutable flags etc.). -- Ollivier ROBERT -=- The daemon is FREE! -=- roberto@keltia.freenix.fr FreeBSD keltia.freenix.fr 2.2-CURRENT #17: Fri Aug 2 20:40:17 MET DST 1996