From owner-freebsd-hackers@FreeBSD.ORG Sun Jun 29 03:06:19 2008 Return-Path: Delivered-To: hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BB3B41065676 for ; Sun, 29 Jun 2008 03:06:19 +0000 (UTC) (envelope-from yanefbsd@gmail.com) Received: from fg-out-1718.google.com (fg-out-1718.google.com [72.14.220.154]) by mx1.freebsd.org (Postfix) with ESMTP id 4B5688FC13 for ; Sun, 29 Jun 2008 03:06:19 +0000 (UTC) (envelope-from yanefbsd@gmail.com) Received: by fg-out-1718.google.com with SMTP id l26so633847fgb.35 for ; Sat, 28 Jun 2008 20:06:18 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:cc:in-reply-to:mime-version:content-type :content-transfer-encoding:content-disposition:references; bh=AZbNdhuyGJ5BSshGRuFYW7Pz4XDs3gPho4FCDRda/g8=; b=Tt6Tp3Ed+xK0HlFfPr5jwJXZErebo1TSS+wRIOhuicYCZOcUHpJVVd7GXFqA21Q3EV 2r6mpYP3Tzm1d7i9KB3M6igH4CGsybqpxWQk8behFMS/+rAdcuw9VvEsYXWgIETUiA1W vgVDV2tdGvk2Q7DEcg7uARHKtJAzcZ54JNdJA= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:cc:in-reply-to:mime-version :content-type:content-transfer-encoding:content-disposition :references; b=fSyXVElT8RpIjw7UIX9fSIbypcSPtGQZtBRX3qM9rv/O8+x60Ic/kv7YwXZsRhopZP S6rX+xX0cArD0NCb6+d1cpquyLZYn9fe2IkzMwgNebecR/B3SJfIJ5lplLztj7LMsBAj 70M6SRqSDojilw+N6o6+BJjwERwuCwrUNGFl8= Received: by 10.86.80.17 with SMTP id d17mr4230628fgb.47.1214708777931; Sat, 28 Jun 2008 20:06:17 -0700 (PDT) Received: by 10.86.51.1 with HTTP; Sat, 28 Jun 2008 20:06:17 -0700 (PDT) Message-ID: <7d6fde3d0806282006i215be603m5ec90709c2921037@mail.gmail.com> Date: Sat, 28 Jun 2008 20:06:17 -0700 From: "Garrett Cooper" To: "Ivaylo Mateev" In-Reply-To: <200806290313.21720.mateev@cns-consulting.org> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <200806290313.21720.mateev@cns-consulting.org> Cc: hackers@freebsd.org Subject: Re: Securelevels X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 29 Jun 2008 03:06:19 -0000 On Sat, Jun 28, 2008 at 6:13 PM, Ivaylo Mateev wrote: > Hi, > > I think I found a bug. > > [strato@darkstar /usr/home/strato]$ sudo sysctl kern.securelevel > kern.securelevel: 2 > [strato@darkstar /usr/home/strato]$ kgdb > kgdb: /dev/mem: Permission denied > [strato@darkstar /usr/home/strato]$ sudo kgdb > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: > Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > > I am running in securelevel 2. That means nithing can have direct access > to /dev/mem, acording to man security: > > 1 Secure mode - the system immutable and system append-only flags may > not be turned off; disks for mounted file systems, /dev/mem and > /dev/kmem may not be opened for writing; /dev/io (if your platform > has it) may not be opened at all; kernel modules (see kld(4)) may > not be loaded or unloaded. > > 2 Highly secure mode - same as secure mode, plus disks may not be > opened for writing (except by mount(2)) whether mounted or not. > This level precludes tampering with file systems by unmounting > them, but also inhibits running newfs(8) while the system is multi- > user. > > So is this a bug or I am just to stupid? Same thing with su? In some situations sudo doesn't operate under 100% root-credentials. -Garrett