From owner-freebsd-bugs@FreeBSD.ORG Mon May 19 19:20:11 2003 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 42BC937B401 for ; Mon, 19 May 2003 19:20:11 -0700 (PDT) Received: from freefall.freebsd.org (freefall.freebsd.org [216.136.204.21]) by mx1.FreeBSD.org (Postfix) with ESMTP id 33FF343FAF for ; Mon, 19 May 2003 19:20:10 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (gnats@localhost [127.0.0.1]) by freefall.freebsd.org (8.12.9/8.12.9) with ESMTP id h4K2KAUp016746 for ; Mon, 19 May 2003 19:20:10 -0700 (PDT) (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.12.9/8.12.9/Submit) id h4K2KAZQ016745; Mon, 19 May 2003 19:20:10 -0700 (PDT) Resent-Date: Mon, 19 May 2003 19:20:10 -0700 (PDT) Resent-Message-Id: <200305200220.h4K2KAZQ016745@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Joshua Oreman Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 009C437B401 for ; Mon, 19 May 2003 19:15:36 -0700 (PDT) Received: from adsl-64-161-78-226.dsl.lsan03.pacbell.net (adsl-64-161-78-226.dsl.lsan03.pacbell.net [64.161.78.226]) by mx1.FreeBSD.org (Postfix) with SMTP id 5053D43F3F for ; Mon, 19 May 2003 19:15:35 -0700 (PDT) (envelope-from oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net) Received: (qmail 65683 invoked by uid 1001); 20 May 2003 02:16:37 -0000 Message-Id: <20030520021637.65682.qmail@adsl-64-161-78-226.dsl.lsan03.pacbell.net> Date: 20 May 2003 02:16:37 -0000 From: Joshua Oreman To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Subject: kern/52454: [PATCH] let init change securelevel to -1 for single-user mode X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: Joshua Oreman List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 20 May 2003 02:20:11 -0000 >Number: 52454 >Category: kern >Synopsis: [PATCH] let init change securelevel to -1 for single-user mode >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: change-request >Submitter-Id: current-users >Arrival-Date: Mon May 19 19:20:09 PDT 2003 >Closed-Date: >Last-Modified: >Originator: Joshua Oreman >Release: FreeBSD 5.0-CURRENT i386 >Organization: home >Environment: System: FreeBSD webserver.get-linux.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed May 7 17:32:53 PDT 2003 root@webserver.get-linux.org:/usr/obj/usr/src/sys/GENERIC i386 >Description: Under OpenBSD, when `init' goes to single-user mode, it, and it alone, can change the securelevel back down to -1. To see why this would be useful, consider a firewall. It might normally run at securelevel 3 to prevent tampering with firewall rules. However, suppose a rule change was needed. Without this functionality, the firewall would have to restart, disrupting service. With it, the firewall could simply drop to single-user, keeping connections, and change the rule. The patch adds that functionality to FreeBSD. >How-To-Repeat: [not applicable] >Fix: Apply this patch to src/sys/kern/kern_mib.c: --[snip]-- --- kern_mib.c.orig Mon May 19 18:47:47 2003 +++ kern_mib.c Mon May 19 18:54:36 2003 @@ -273,7 +273,8 @@ } else { mtx_lock(&securelevel_mtx); if (!regression_securelevel_nonmonotonic && - (level < securelevel)) { + (level < securelevel) && + (req->td->td_proc->p_pid != 1)) { mtx_unlock(&securelevel_mtx); return (EPERM); } --[snip]-- and apply this patch to src/sbin/init/init.c: --[snip]-- --- init.c.orig Mon May 19 18:54:56 2003 +++ init.c Mon May 19 19:09:38 2003 @@ -619,6 +619,25 @@ endpwent(); #endif /* SECURE */ + if (getsecuritylevel() > 0) { + /* + * It's safe to set newsecuritylevel to -1 here because, + * even if securelevel was not originally -1, it will + * be reset on return to multi-user. + */ + int mib[2], newsecuritylevel = -1; + syslog (LOG_INFO, "changing security level from %i to %i " + "for single-user mode", getsecuritylevel(), -1); + + mib[0] = CTL_KERN; + mib[1] = KERN_SECURELVL; + if (sysctl (mib, 2, NULL, NULL, &newsecuritylevel, + sizeof newsecuritylevel) == -1) { + warning ("unable to set securelevel; operations " + "will continue at level %i", getsecuritylevel()); + } + } + #ifdef DEBUGSHELL { char *cp = altshell; --[snip]-- Recompile init and the kernel, reboot, and the securelevel will go down for single-user mode. This is not a security hole because only `init' (pid 1) has the authority to do this. >Release-Note: >Audit-Trail: >Unformatted: