From owner-freebsd-stable  Thu Dec 14  9:26:28 2000
From owner-freebsd-stable@FreeBSD.ORG  Thu Dec 14 09:26:24 2000
Return-Path: <owner-freebsd-stable@FreeBSD.ORG>
Delivered-To: freebsd-stable@freebsd.org
Received: from mailhub.state.me.us (mailhub.state.me.us [141.114.122.227])
	by hub.freebsd.org (Postfix) with ESMTP id C3C9237B402
	for <freebsd-stable@FreeBSD.ORG>; Thu, 14 Dec 2000 09:26:18 -0800 (PST)
Received: from katahdin.bmv.state.me.us by mailhub.state.me.us with ESMTP for freebsd-stable@FreeBSD.ORG; Thu, 14 Dec 2000 11:57:37 -0500
Received: from localhost (darren@localhost) by katahdin.bmv.state.me.us (AIX4.2/UCB 8.7/8.7) with ESMTP id MAA35032 for <freebsd-stable@FreeBSD.ORG>; Thu, 14 Dec 2000 12:04:59 -0500 (EST)
Date: Thu, 14 Dec 2000 12:04:59 -0500 (EST)
From: Darren Henderson <darren@bmv.state.me.us>
To: freebsd-stable@FreeBSD.ORG
Subject: securelevel and /etc/rc in 4.2S
In-Reply-To: <20001214152635.B16808@wiliam.alcove-int>
Message-Id: <Pine.A41.4.21.0012141127510.24088-100000@katahdin.bmv.state.me.us>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: darren@katahdin.bmv.state.me.us
Sender: owner-freebsd-stable@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG


I have some (probably misplaced) confussion with the order things are
handled in...

/etc/rc executes /etc/rc.sysctrl (which pulls in /etc/sysctl.conf), there is
a comment that says that we want to set the sysctl variables as soon as we
can" which makes sense.

Quite a bit later, at the end of /etc/rc, we check to see if
kern_securelevel_enable has been enabled and if kern_securelevel -ge 0 then
set it accordingly.

/etc/defaults/rc.conf sets kern_securelevel_enabled to "NO" and
kern_securelevel to -1.

man init tells us that if securelevel is initially non-zero its left alone
otherwise it is raised to 1 before going multiuser. 

As I recall, after an install an /etc/rc.conf is present that sets
kern_securelevel_enabled to "YES" and kern_securelevel to 1.

Now my confussion... 

Shouldn't rc.sysctl be using the rc.conf kern_securelevel* settings instead
of waiting to set those at the end of rc? I think I can see where there
might be some conflicts if someone wants to run at 3 (unable to set firewall
rules etc) as the network configuration takes place after rc.sysctl. But
that could be accomedated in rc.sysctl (if 3 wanted then don't set or set to
2) and rc.firewall (if 3 wanted set it after the rules have been read).

Also, wouldn't it  make more sense for /etc/defaults/rc.conf to at least set
"YES" and 0?

________________________________________________________________________
Darren Henderson                                  darren@bmv.state.me.us
                                            darren.henderson@state.me.us



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message