From owner-freebsd-current Thu Sep 7 13:26:33 2000 Delivered-To: freebsd-current@freebsd.org Received: from uffdaonline.net (host21.uffdaonline.net [207.109.235.21]) by hub.freebsd.org (Postfix) with ESMTP id DACF537B423 for ; Thu, 7 Sep 2000 13:26:29 -0700 (PDT) Received: by uffdaonline.net (Postfix, from userid 1000) id B59A31FA7; Thu, 7 Sep 2000 20:29:23 +0000 (GMT) Date: Thu, 7 Sep 2000 15:29:23 -0500 From: "Zach N. Heilig" To: Paul Herman Cc: freebsd-current@freebsd.org, Vivek Khera Subject: Re: call for testers: init securelevel patch Message-ID: <20000907152923.A57609@murkwood.znh.org> References: <27A0189D7DCC8869C6B714D2@mail.uffdaonline.net> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <27A0189D7DCC8869C6B714D2@mail.uffdaonline.net>; from pherman@frenchfries.net on Thu, Sep 07, 2000 at 06:33:20PM +0200 Sender: owner-freebsd-current@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Thu, Sep 07, 2000 at 06:33:20PM +0200, Paul Herman wrote: > Here is a patch which will allow init(8) (or rather, any process with > PID 1) to lower the securelevel to 0 when going into single-user > maintenence mode. This has no effect if securelevel is -1. > > Feedback welcome -- there may be security implications I'm not aware > of. If this is well recieved, I will tack it onto bin/20974 for > further review and commit into -CURRENT. This was the behavior a while back. It was removed on purpose. (because an attacker could attach to PID 1 with a debugger and cause it to lower secure level without going to single user mode.) -- Zach Heilig To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-current" in the body of the message