Skip site navigation (1)Skip section navigation (2) 
Date:      Thu, 14 Dec 2000 12:04:59 -0500 (EST)
From:      Darren Henderson <darren@bmv.state.me.us>
To:        freebsd-stable@FreeBSD.ORG
Subject:   securelevel and /etc/rc in 4.2S
Message-ID:  <Pine.A41.4.21.0012141127510.24088-100000@katahdin.bmv.state.me.us>
In-Reply-To: <20001214152635.B16808@wiliam.alcove-int>
next in thread | previous in thread | raw e-mail | index | archive | help 

I have some (probably misplaced) confussion with the order things are
handled in...

/etc/rc executes /etc/rc.sysctrl (which pulls in /etc/sysctl.conf), there is
a comment that says that we want to set the sysctl variables as soon as we
can" which makes sense.

Quite a bit later, at the end of /etc/rc, we check to see if
kern_securelevel_enable has been enabled and if kern_securelevel -ge 0 then
set it accordingly.

/etc/defaults/rc.conf sets kern_securelevel_enabled to "NO" and
kern_securelevel to -1.

man init tells us that if securelevel is initially non-zero its left alone
otherwise it is raised to 1 before going multiuser. 

As I recall, after an install an /etc/rc.conf is present that sets
kern_securelevel_enabled to "YES" and kern_securelevel to 1.

Now my confussion... 

Shouldn't rc.sysctl be using the rc.conf kern_securelevel* settings instead
of waiting to set those at the end of rc? I think I can see where there
might be some conflicts if someone wants to run at 3 (unable to set firewall
rules etc) as the network configuration takes place after rc.sysctl. But
that could be accomedated in rc.sysctl (if 3 wanted then don't set or set to
2) and rc.firewall (if 3 wanted set it after the rules have been read).

Also, wouldn't it  make more sense for /etc/defaults/rc.conf to at least set
"YES" and 0?

________________________________________________________________________
Darren Henderson                                  darren@bmv.state.me.us
                                            darren.henderson@state.me.us



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.A41.4.21.0012141127510.24088-100000>