From owner-freebsd-security  Sun Sep  9 11:59: 5 2001
Delivered-To: freebsd-security@freebsd.org
Received: from ringworld.nanolink.com (discworld.nanolink.com [217.75.135.248])
	by hub.freebsd.org (Postfix) with SMTP id 9854837B403
	for <freebsd-security@FreeBSD.ORG>; Sun,  9 Sep 2001 11:58:57 -0700 (PDT)
Received: (qmail 5106 invoked by uid 1000); 9 Sep 2001 18:58:29 -0000
Date: Sun, 9 Sep 2001 21:58:29 +0300
From: Peter Pentchev <roam@ringlet.net>
To: Eric Thern <eric@zoidial.com>
Cc: Simon Nielsen <simon@nitro.dk>, freebsd-security@FreeBSD.ORG
Subject: Re: Kernel-loadable Root Kits < securelevel >
Message-ID: <20010909215829.A733@ringworld.oblivion.bg>
Mail-Followup-To: Eric Thern <eric@zoidial.com>,
	Simon Nielsen <simon@nitro.dk>, freebsd-security@FreeBSD.ORG
References: <Pine.BSF.4.33.0109091629040.380-100000@bofh.bofh> <20010909.18312775@mis.configured.host>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
In-Reply-To: <20010909.18312775@mis.configured.host>; from eric@zoidial.com on Sun, Sep 09, 2001 at 06:31:27PM +0000
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-security.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-security>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-security>
X-Loop: FreeBSD.org

On Sun, Sep 09, 2001 at 06:31:27PM +0000, Eric Thern wrote:
> 
> > > >> Would you care to point out how I could lower the securelevel then
> > > >> for legitimate use (i.e. updates or changes to /etc) of the system
> > > >> by the administrators?
> > > > Reboot.. and if you set the securelevel automaticly on boot (e.g.
> > > > in rc.conf) you must start in single user mode after the reboot.
> > > Yeah I know that this would be a way to do it but it's rather hard to
> > > do with colocated servers...
> > Thats right, but i'm rather sure rebooting is the only way to lower the
> > securelevel (anyone please correct me if i'm wrong).
> > >From init(8) :
> > The kernel runs with four different levels of security. Any super-user
> > process can raise the security level, but no process can lower it.
> > [CUT]
> 
> 	Is there any possibility of having console be able to lower the 
> securelevel without rebooting?  In a situation with dedicated or 
> colocated servers where only one person has console access, it would sure 
> be a wonderful thing, although I'm fairly certain there is some security 
> loophole in that whole mess.

If ddb support is compiled into the kernel, then it could be as easy
as hitting Ctrl-PrtScr and using ddb to modify the value of the kernel
variable named 'securelevel'.

G'luck,
Peter

-- 
The rest of this sentence is written in Thailand, on

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message