From owner-freebsd-security  Mon May 14  8:39:24 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ajax1.sovam.com (ajax1.sovam.com [194.67.1.172])
	by hub.freebsd.org (Postfix) with ESMTP
	id 6A46E37B42C; Mon, 14 May 2001 08:39:17 -0700 (PDT)
	(envelope-from avn@any.ru)
Received: from ts9-a275.dial.sovam.com ([195.239.71.19]:1126 "EHLO srv2.any"
	ident: "root" whoson: "-unregistered-" smtp-auth: <none> TLS-CIPHER:
	"EDH-RSA-DES-CBC3-SHA keybits 192/192 version TLSv1/SSLv3" TLS-PEER:
	<none>) by ajax1.sovam.com with ESMTP id <S123680AbRENPjD>;
	Mon, 14 May 2001 19:39:03 +0400
Received: from localhost (avn@localhost)
	by srv2.any (8.11.3/8.11.3) with ESMTP id f4EFZD612601;
	Mon, 14 May 2001 19:35:13 +0400 (MSD)
	(envelope-from avn@any.ru)
X-Authentication-Warning: srv2.any: avn owned process doing -bs
Date:	Mon, 14 May 2001 19:35:13 +0400 (MSD)
From: "Alexey V. Neyman" <avn@any.ru>
X-X-Sender:  <avn@srv2.any>
To: Ruslan Ermilov <ru@FreeBSD.ORG>
Cc: <freebsd-security@FreeBSD.ORG>
Subject: Re: ipfw rules and securelevel
In-Reply-To: <20010514180928.A52742@sunbay.com>
Message-ID: <Pine.BSF.4.33.0105141925020.12545-100000@srv2.any>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

Hello there!

On Mon, 14 May 2001, Ruslan Ermilov wrote:

>+	if (req->newptr && securelevel >= 3)
>+		return (EPERM);

Then, maybe it's worth introducing a sysctl tuneable, which, once set,
will prohibit all userland sysctl writing and providing interface for it
in /etc/rc.conf, setting it in boot time. This will separate such
functionality from kern.securelevel (I may prefer running at securelevel
lower than 3, still having sysctls protected).

As an improvement of said before, it can be good to be able to lock
separate branches of sysctl tree - i.e., setting net.sysctl_readonly to 1
protects the entire net.* branch from writing.

# Alexey



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message