Date: Thu, 10 Dec 1998 10:59:34 -0500 (EST) From: Robert Watson <robert@cyrus.watson.org> To: "Jordan K. Hubbard" <jkh@zippy.cdrom.com> Cc: Jay Tribick <netadmin@fastnet.co.uk>, Mark Newton <newton@camtech.com.au>, FREEBSD-SECURITY@FreeBSD.ORG Subject: Re: append-only devices for logging Message-ID: <Pine.BSF.3.96.981210105622.18096A-100000@fledge.watson.org> In-Reply-To: <30042.913284025@zippy.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help
One also, of course, needs to make sure that all the CAM SCSI devices (pass-through, etc) obey securelevel semantics, etc. I would guess that at least some hardware drivers on the system might allow the circumventing of the higher securelevel prohibition on writing directly to disk devices, or all manipulation of the device such that it allows access to portions of memory that it should not. For example, it may be that some bus mastering devices can be pursuaded to do things on the bus that they should not, or incorrectly treat memory as mapped into their address space, etc. I assume that direct io port access is restricted in high securelevels? In the normal case, only root can do these things, so it is assumed to be ok, but in securelevels, root is suddenly a restricted user also. On Thu, 10 Dec 1998, Jordan K. Hubbard wrote: > > True but if they have root then they can quite easily alter /etc/rc.local > > Anyone setting their securelevel to 2 and *meaning* it will have also > chflag'd many of the files in / (including this one) to be effectively > read-only. There's no point in locking all your doors and leaving a > window open, after all, and anyone clueful enough to run at such a > high secure level should also be clueful enough to know where all the > obvious doors and windows (like this one) are. :-) > > - Jordan > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > Robert N Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: 03 01 DD 8E 15 67 48 73 25 6D 10 FC EC 68 C1 1C Carnegie Mellon University http://www.cmu.edu/ TIS Labs at Network Associates, Inc. http://www.tis.com/ SafePort Network Services http://www.safeport.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.96.981210105622.18096A-100000>