Date: Sun, 09 Sep 2001 18:31:27 GMT From: Eric Thern <eric@zoidial.com> To: Simon Nielsen <simon@nitro.dk>, <freebsd-security@FreeBSD.ORG> Subject: Re: Kernel-loadable Root Kits < securelevel > Message-ID: <20010909.18312775@mis.configured.host> In-Reply-To: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh> References: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh>
next in thread | previous in thread | raw e-mail | index | archive | help
> > >> Would you care to point out how I could lower the securelevel the= n > > >> for legitimate use (i.e. updates or changes to /etc) of the syste= m > > >> by the administrators? > > > Reboot.. and if you set the securelevel automaticly on boot (e.g.= > > > in rc.conf) you must start in single user mode after the reboot. > > Yeah I know that this would be a way to do it but it's rather hard t= o > > do with colocated servers... > Thats right, but i'm rather sure rebooting is the only way to lower th= e > securelevel (anyone please correct me if i'm wrong). > >From init(8) : > The kernel runs with four different levels of security. Any super-user= > process can raise the security level, but no process can lower it. > [CUT] Is there any possibility of having console be able to lower the=20 securelevel without rebooting? In a situation with dedicated or=20 colocated servers where only one person has console access, it would sur= e=20 be a wonderful thing, although I'm fairly certain there is some security= =20 loophole in that whole mess. -Eric To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909.18312775>