From owner-freebsd-security  Sun Sep  9 11:31:38 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ns1.zoidial.com (ns1.zoidial.com [65.160.250.1])
	by hub.freebsd.org (Postfix) with ESMTP id 43C7C37B407
	for <freebsd-security@FreeBSD.ORG>; Sun,  9 Sep 2001 11:31:31 -0700 (PDT)
Received: from gecko2k (host-24-34-129-65-bgr.scieron.com [65.161.75.160])
	by ns1.zoidial.com (8.10.2/8.10.2) with SMTP id f89IV5Z20183;
	Sun, 9 Sep 2001 14:31:05 -0400
From: Eric Thern <eric@zoidial.com>
Date: Sun, 09 Sep 2001 18:31:27 GMT
Message-ID: <20010909.18312775@mis.configured.host>
Subject: Re: Kernel-loadable Root Kits < securelevel >
To: Simon Nielsen <simon@nitro.dk>, <freebsd-security@FreeBSD.ORG>
In-Reply-To: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh>
References: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh>
X-Mailer: Mozilla/3.0 (compatible; StarOffice/5.2;Win32)
X-Priority: 3 (Normal)
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org


> > >> Would you care to point out how I could lower the securelevel the=
n
> > >> for legitimate use (i.e. updates or changes to /etc) of the syste=
m
> > >> by the administrators?
> > > Reboot.. and if you set the securelevel automaticly on boot (e.g.=

> > > in rc.conf) you must start in single user mode after the reboot.
> > Yeah I know that this would be a way to do it but it's rather hard t=
o
> > do with colocated servers...
> Thats right, but i'm rather sure rebooting is the only way to lower th=
e
> securelevel (anyone please correct me if i'm wrong).
> >From init(8) :
> The kernel runs with four different levels of security. Any super-user=

> process can raise the security level, but no process can lower it.
> [CUT]

	Is there any possibility of having console be able to lower the=20
securelevel without rebooting?  In a situation with dedicated or=20
colocated servers where only one person has console access, it would sur=
e=20
be a wonderful thing, although I'm fairly certain there is some security=
=20
loophole in that whole mess.


-Eric

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message