From owner-freebsd-current  Mon Dec 28 15:46:36 1998
Return-Path: <owner-freebsd-current@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id PAA13576
          for freebsd-current-outgoing; Mon, 28 Dec 1998 15:46:36 -0800 (PST)
          (envelope-from owner-freebsd-current@FreeBSD.ORG)
Received: from sax.sax.de (sax.sax.de [193.175.26.33])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id PAA13556
          for <freebsd-current@freebsd.org>; Mon, 28 Dec 1998 15:46:33 -0800 (PST)
          (envelope-from j@uriah.heep.sax.de)
Received: (from uucp@localhost)
	by sax.sax.de (8.8.8/8.8.8) with UUCP id AAA07249;
	Tue, 29 Dec 1998 00:45:46 +0100 (CET)
	(envelope-from j@uriah.heep.sax.de)
Received: (from j@localhost)
	by uriah.heep.sax.de (8.9.1/8.9.1) id AAA24203;
	Tue, 29 Dec 1998 00:33:15 +0100 (MET)
	(envelope-from j)
Date: Tue, 29 Dec 1998 00:33:15 +0100 (MET)
Message-Id: <199812282333.AAA24203@uriah.heep.sax.de>
Mime-Version: 1.0
X-Newsreader: knews 0.9.8
Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch)
Organization: Private BSD site, Dresden
X-Phone: +49-351-2012 669
X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F  93 21 E0 7D F9 12 D6 4E
References: <Pine.BSF.4.05.9812281327550.93799-100000@seerajeane.ia.cp>
From: j@uriah.heep.sax.de (J Wunsch)
Subject: Re: Setting securelevel
X-Original-Newsgroups: local.freebsd.current
To: freebsd-current@FreeBSD.ORG
cc: "Eugene M. Kim" <astralblue@usa.net>
Content-Type: text/plain; charset=us-ascii
Sender: owner-freebsd-current@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

"Eugene M. Kim" <astralblue@usa.net> wrote:

> This, in consequence, prohibits the kernel from returning to the
> insecure mode even in the single-user mode.

Intentionally.  There was at least one CERT advisory by that time that
turned out to abuse this security hole (something like abusing a
buffer overflow in init(8) in a way so securelevel could be lowered
while the system is running -- something that should _never_ happen).
We finally decided that a securelevel is simply and only secure if it
cannot be lowered again.  If i'm not totally mistaken, i've been the
one who did the deed...  yep:

revision 1.9
date: 1997/06/25 07:31:47;  author: joerg;  state: Exp;  lines: +2 -2
Don't ever allow lowering the securelevel at all.  Allowing it does
nothing good except of opening a can of (potential or real) security
holes.  People maintaining a machine with higher security requirements
need to be on the console anyway, so there's no point in not forcing
them to reboot before starting maintenance.

Agreed by:      hackers, guido


So it doesn't always require a Dane to do a bloody deed. ;-)

Well, the only thing you lose by this change is your uptime record.
You trade it for security.  In case you are ready to go down to
single-user, you already need access to the console anyway, so you can
reboot first as well.

-- 
cheers, J"org

joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE
Never trust an operating system you don't have sources for. ;-)

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message