Date: Sun, 9 Sep 2001 21:58:29 +0300 From: Peter Pentchev <roam@ringlet.net> To: Eric Thern <eric@zoidial.com> Cc: Simon Nielsen <simon@nitro.dk>, freebsd-security@FreeBSD.ORG Subject: Re: Kernel-loadable Root Kits < securelevel > Message-ID: <20010909215829.A733@ringworld.oblivion.bg> In-Reply-To: <20010909.18312775@mis.configured.host>; from eric@zoidial.com on Sun, Sep 09, 2001 at 06:31:27PM %2B0000 References: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh> <20010909.18312775@mis.configured.host>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, Sep 09, 2001 at 06:31:27PM +0000, Eric Thern wrote: > > > > >> Would you care to point out how I could lower the securelevel then > > > >> for legitimate use (i.e. updates or changes to /etc) of the system > > > >> by the administrators? > > > > Reboot.. and if you set the securelevel automaticly on boot (e.g. > > > > in rc.conf) you must start in single user mode after the reboot. > > > Yeah I know that this would be a way to do it but it's rather hard to > > > do with colocated servers... > > Thats right, but i'm rather sure rebooting is the only way to lower the > > securelevel (anyone please correct me if i'm wrong). > > >From init(8) : > > The kernel runs with four different levels of security. Any super-user > > process can raise the security level, but no process can lower it. > > [CUT] > > Is there any possibility of having console be able to lower the > securelevel without rebooting? In a situation with dedicated or > colocated servers where only one person has console access, it would sure > be a wonderful thing, although I'm fairly certain there is some security > loophole in that whole mess. If ddb support is compiled into the kernel, then it could be as easy as hitting Ctrl-PrtScr and using ddb to modify the value of the kernel variable named 'securelevel'. G'luck, Peter -- The rest of this sentence is written in Thailand, on To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20010909215829.A733>