From owner-freebsd-security  Thu Jun 17  9: 7:38 1999
Delivered-To: freebsd-security@freebsd.org
Received: from rover.village.org (rover.village.org [204.144.255.49])
	by hub.freebsd.org (Postfix) with ESMTP id 4D07D14DCA
	for <security@FreeBSD.ORG>; Thu, 17 Jun 1999 09:07:30 -0700 (PDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (harmony.village.org [10.0.0.6])
	by rover.village.org (8.9.3/8.9.3) with ESMTP id KAA54209;
	Thu, 17 Jun 1999 10:07:29 -0600 (MDT)
	(envelope-from imp@harmony.village.org)
Received: from harmony.village.org (localhost.village.org [127.0.0.1]) by harmony.village.org (8.9.3/8.8.3) with ESMTP id KAA06017; Thu, 17 Jun 1999 10:07:41 -0600 (MDT)
Message-Id: <199906171607.KAA06017@harmony.village.org>
To: "Richard Childers" <rchilders@hamquist.com>
Subject: Re: some nice advice.... 
Cc: security@FreeBSD.ORG
In-reply-to: Your message of "Thu, 17 Jun 1999 05:47:43 PDT."
		<3768EE6F.EEE2706F@hamquist.com> 
References: <3768EE6F.EEE2706F@hamquist.com>  <Pine.LNX.3.96.990616182221.28882A-100000@static-petef.netreach.net> <199906162224.QAA02435@harmony.village.org> 
Date: Thu, 17 Jun 1999 10:07:41 -0600
From: Warner Losh <imp@harmony.village.org>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In message <3768EE6F.EEE2706F@hamquist.com> "Richard Childers" writes:
: "My kernel is set schg ..."
: Could you please expand on this ?

chflags schg /kernel

The system won't even let root change /kernel.  When the secure level
is elevated, even root can't remvoe the schg bit.  Set it on all files 
required to boot, and go to elevated secure level quickly and things
will be impossible to override...

Warner


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message