Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 1 Dec 1998 12:13:38 -0600 (CST)
From:      Mike Jenkins <mjenkins@carp.gbr.epa.gov>
To:        k.stevenson@louisville.edu, opsys@open-systems.net
Cc:        freebsd-security@FreeBSD.ORG
Subject:   Re: chflags sappnd and secure level 3 question...
Message-ID:  <199812011813.MAA09897@carp.gbr.epa.gov>
In-Reply-To: <Pine.BSF.3.96.981130182802.17477A-100000@pinkfloyd.open-systems.net>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, 1 Dec 1998 Keith Stevenson <k.stevenson@louisville.edu> wrote:

> True, sappnd will allow root (or any other user with sufficient permission) to
> _append_ to a file.  Newsyslog, however, doesn't append.  A quick reading of
> the newsyslog source (/usr/src/usr.sbin/newsyslog/newsyslog.c on my system)
> shows that newsyslog actually does a rename(2) on the file as it rotates the
> file.  Since this syscall modifies the file's inode, it is forbidden at high
> securelevels.

Hmm.  I think it has less to do with the security level [see init(8)] and
more to do with having the appnd flag set.  For example:

	% sysctl kern.securelevel
	kern.securelevel: -1
	% touch junk
	% chflags uappnd junk
	% mv junk j2
	mv: rename junk to j2: Operation not permitted
	% touch junk
	touch: junk: Operation not permitted
	% rm junk
	override rw-r--r--  mjenkins/mjenkins uappnd for junk? y
	rm: junk: Operation not permitted
	% chflags nouappnd junk
	% mv junk j2
	% rm j2

On Mon, 30 Nov 1998 "Open Systems Inc." <opsys@open-systems.net> wrote:

> newsyslog: can't start new log: Operation not permitted
>
> I thought sappnd would allow root to append files. Do I have that part
> right?
>
> newsyslog cant rotate the logs. Does the /var/log dir need to be set
> sappnd itself?

Since system immutable and system append-only flags may not be turned
off in secure levels, you'll have to rotate your logs in single-user
mode after turning off the append-only flag as Keith suggests.

Mike

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812011813.MAA09897>