From owner-freebsd-current  Thu Sep  7 14:58: 5 2000
Delivered-To: freebsd-current@freebsd.org
Received: from mailman.zeta.org.au (mailman.zeta.org.au [203.26.10.16])
	by hub.freebsd.org (Postfix) with ESMTP id 2E20237B423
	for <freebsd-current@FreeBSD.ORG>; Thu,  7 Sep 2000 14:58:00 -0700 (PDT)
Received: from bde.zeta.org.au (bde.zeta.org.au [203.2.228.102])
	by mailman.zeta.org.au (8.8.7/8.8.7) with ESMTP id IAA07604;
	Fri, 8 Sep 2000 08:57:34 +1100
Date: Fri, 8 Sep 2000 08:57:30 +1100 (EST)
From: Bruce Evans <bde@zeta.org.au>
X-Sender: bde@besplex.bde.org
To: "Zach N. Heilig" <zach@uffdaonline.net>
Cc: Paul Herman <pherman@frenchfries.net>,
	freebsd-current@FreeBSD.ORG, Vivek Khera <khera@kcilink.com>
Subject: Re: call for testers: init securelevel patch
In-Reply-To: <20000907152923.A57609@murkwood.znh.org>
Message-ID: <Pine.BSF.4.21.0009080855361.30227-100000@besplex.bde.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Thu, 7 Sep 2000, Zach N. Heilig wrote:

> On Thu, Sep 07, 2000 at 06:33:20PM +0200, Paul Herman wrote:
> > Here is a patch which will allow init(8) (or rather, any process with
> > PID 1) to lower the securelevel to 0 when going into single-user
> > maintenence mode.  This has no effect if securelevel is -1.
> > 
> > Feedback welcome -- there may be security implications I'm not aware
> > of.  If this is well recieved, I will tack it onto bin/20974 for
> > further review and commit into -CURRENT.
> 
> This was the behavior a while back.  It was removed on purpose.  (because
> an attacker could attach to PID 1 with a debugger and cause it to lower
> secure level without going to single user mode.)

RCS file: /home/ncvs/src/sys/kern/kern_mib.c,v
Working file: kern_mib.c
head: 1.37
...
----------------------------
revision 1.9
date: 1997/06/25 07:31:47;  author: joerg;  state: Exp;  lines: +2 -2
Don't ever allow lowering the securelevel at all.  Allowing it does
nothing good except of opening a can of (potential or real) security
holes.  People maintaining a machine with higher security requirements
need to be on the console anyway, so there's no point in not forcing
them to reboot before starting maintenance.

Agreed by:	hackers, guido
----------------------------

Index: kern_mib.c
===================================================================
RCS file: /home/ncvs/src/sys/kern/kern_mib.c,v
retrieving revision 1.8
retrieving revision 1.9
diff -c -2 -r1.8 -r1.9
*** kern_mib.c	1997/03/04 18:31:54	1.8
--- kern_mib.c	1997/06/25 07:31:47	1.9
***************
*** 38,42 ****
   *
   *	@(#)kern_sysctl.c	8.4 (Berkeley) 4/14/94
!  * $Id: kern_mib.c,v 1.7 1997/03/03 12:58:19 bde Exp $
   */
  
--- 38,42 ----
   *
   *	@(#)kern_sysctl.c	8.4 (Berkeley) 4/14/94
!  * $Id: kern_mib.c,v 1.8 1997/03/04 18:31:54 bde Exp $
   */
  
***************
*** 124,128 ****
  		if (error || !req->newptr)
  			return (error);
! 		if (level < securelevel && req->p->p_pid != 1)
  			return (EPERM);
  		securelevel = level;
--- 124,128 ----
  		if (error || !req->newptr)
  			return (error);
! 		if (level < securelevel)
  			return (EPERM);
  		securelevel = level;

Bruce



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message