From owner-freebsd-questions  Thu Jan 22 16:47:33 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id QAA07778
          for questions-outgoing; Thu, 22 Jan 1998 16:47:33 -0800 (PST)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.119.24.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id QAA07769
          for <freebsd-questions@FreeBSD.ORG>; Thu, 22 Jan 1998 16:47:28 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [194.198.43.36])
	by ns1.yes.no (8.8.7/8.8.7) with ESMTP id AAA20675;
	Fri, 23 Jan 1998 00:47:22 GMT
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.6/8.8.6) id BAA09443;
	Fri, 23 Jan 1998 01:47:22 +0100 (MET)
Message-ID: <19980123014722.46113@follo.net>
Date: Fri, 23 Jan 1998 01:47:22 +0100
From: Eivind Eklund <eivind@yes.no>
To: Konrad Heuer <kheuer@gwdu60.gwdg.de>
Cc: freebsd-questions@FreeBSD.ORG
Subject: Re: How to Raise Security Level?
References: <Pine.BSF.3.96.980122160636.5618A-100000@gwdu60.gwdg.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.88e
In-Reply-To: <Pine.BSF.3.96.980122160636.5618A-100000@gwdu60.gwdg.de>; from Konrad Heuer on Thu, Jan 22, 1998 at 04:22:50PM +0100
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk

On Thu, Jan 22, 1998 at 04:22:50PM +0100, Konrad Heuer wrote:
> 
> As far as I know FreeBSD supports the 4.4BSD concept of running
> the system in a definite security level to protect special files
> against modification etc.
> 
> `sysctl -a' shows that the system by default runs in level `-1'
> which means `always insecure'.
> 
> So how should I increase the security level for example to `1'
> (= secure) in multi-user mode and to `0' in single-user mode?
> 
> Can it simply be done with `sysctl' or will this raise some
> difficulties in standard multi-user mode (apart from the fact that the
> kernel might only be replaced and the system log might only be truncated
> in single-user mode)?

Just do a sysctl -w 'kern.securelevel=0' in rc.local, and it should be fine.

The secure level will automatically be raised.  It will *not* be
lowered on a switch back to single-user mode; you have to reboot to
lower it.  This is because there have been several problems with the
approach of letting init lower the securelevel.

Eivind.