From owner-freebsd-security  Tue Dec  1 10:13:55 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id KAA26587
          for freebsd-security-outgoing; Tue, 1 Dec 1998 10:13:55 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from carp.gbr.epa.gov (carp.gbr.epa.gov [204.46.159.110])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id KAA26580
          for <freebsd-security@freebsd.org>; Tue, 1 Dec 1998 10:13:52 -0800 (PST)
          (envelope-from mjenkins@carp.gbr.epa.gov)
Received: (from mjenkins@localhost)
	by carp.gbr.epa.gov (8.8.8/8.8.8) id MAA09897;
	Tue, 1 Dec 1998 12:13:38 -0600 (CST)
	(envelope-from mjenkins)
Date: Tue, 1 Dec 1998 12:13:38 -0600 (CST)
From: Mike Jenkins <mjenkins@carp.gbr.epa.gov>
Message-Id: <199812011813.MAA09897@carp.gbr.epa.gov>
To: k.stevenson@louisville.edu, opsys@open-systems.net
Subject: Re: chflags sappnd and secure level 3 question...
Cc: freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.981130182802.17477A-100000@pinkfloyd.open-systems.net>
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On Tue, 1 Dec 1998 Keith Stevenson <k.stevenson@louisville.edu> wrote:

> True, sappnd will allow root (or any other user with sufficient permission) to
> _append_ to a file.  Newsyslog, however, doesn't append.  A quick reading of
> the newsyslog source (/usr/src/usr.sbin/newsyslog/newsyslog.c on my system)
> shows that newsyslog actually does a rename(2) on the file as it rotates the
> file.  Since this syscall modifies the file's inode, it is forbidden at high
> securelevels.

Hmm.  I think it has less to do with the security level [see init(8)] and
more to do with having the appnd flag set.  For example:

	% sysctl kern.securelevel
	kern.securelevel: -1
	% touch junk
	% chflags uappnd junk
	% mv junk j2
	mv: rename junk to j2: Operation not permitted
	% touch junk
	touch: junk: Operation not permitted
	% rm junk
	override rw-r--r--  mjenkins/mjenkins uappnd for junk? y
	rm: junk: Operation not permitted
	% chflags nouappnd junk
	% mv junk j2
	% rm j2

On Mon, 30 Nov 1998 "Open Systems Inc." <opsys@open-systems.net> wrote:

> newsyslog: can't start new log: Operation not permitted
>
> I thought sappnd would allow root to append files. Do I have that part
> right?
>
> newsyslog cant rotate the logs. Does the /var/log dir need to be set
> sappnd itself?

Since system immutable and system append-only flags may not be turned
off in secure levels, you'll have to rotate your logs in single-user
mode after turning off the append-only flag as Keith suggests.

Mike

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message