From owner-freebsd-i386@FreeBSD.ORG Mon Jul 10 13:24:45 2006 Return-Path: X-Original-To: freebsd-i386@freebsd.org Delivered-To: freebsd-i386@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DF86F16A4DE for ; Mon, 10 Jul 2006 13:24:45 +0000 (UTC) (envelope-from amogilny@gmail.com) Received: from ug-out-1314.google.com (ug-out-1314.google.com [66.249.92.173]) by mx1.FreeBSD.org (Postfix) with ESMTP id DF2F443D46 for ; Mon, 10 Jul 2006 13:24:44 +0000 (GMT) (envelope-from amogilny@gmail.com) Received: by ug-out-1314.google.com with SMTP id m3so1585408uge for ; Mon, 10 Jul 2006 06:24:43 -0700 (PDT) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:sender:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references:x-google-sender-auth; b=bPjXWkPW9MlVZSnCR3kBONdbNgjzs7/8kzcGTpweMBiMpCCvNX7X69EmU1ZS/WfiCPH3kaNqvAawfWqx4IV6PyM3HSLOkRfwIogAqO5Cx4MNDS6unrYiY7/Ia4KiZ63KxChymJbxLDl67KmnjLoX5EFwVa5Jn1enugRfwOXs0Ao= Received: by 10.78.151.15 with SMTP id y15mr1650580hud; Mon, 10 Jul 2006 06:24:43 -0700 (PDT) Received: by 10.78.178.3 with HTTP; Mon, 10 Jul 2006 06:24:43 -0700 (PDT) Message-ID: <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com> Date: Mon, 10 Jul 2006 16:24:43 +0300 From: "Alexander Mogilny" Sender: amogilny@gmail.com To: steve In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline References: <20060709183758.55907.qmail@web42208.mail.yahoo.com> <7403d2a30607100022s433489d1pce3260c383a73a5f@mail.gmail.com> X-Google-Sender-Auth: 7a97ec2e7b369a2a Cc: freebsd-i386@freebsd.org Subject: Re: kernel secure level?? X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jul 2006 13:24:46 -0000 On 7/10/06, steve wrote: > Hi all, > > I found this very interesting. In FreeBSD, can you just > # sysctl kern.securelevel=-1 > at the command line and step down securelevel in FreeBSD without rebooting? > I have just read more documentation on sysctl values and found that kern.securelevel value is only available for increment. So it is impossible to decrease it after setting it to 2. The only way to do this is to change FreeBSD sources, this is an evil hack but still possible. :) To my opinion setting securelevel value to 2 means that this machine should be forgotten forever, untouchable and perform some core functionality. Such machines should be some kind of routers which are never rebooted and always online. My point here is that you should deeply analyze the structure of your network and create more structured server functionality so that you perform ipfilter configuration changes on some other machine with normal security level, of if this is improper for you perform some local sources modifications and implement patches making this sysctl values available for changing. -- AIM-UANIC +-----[ FreeBSD ]-----+ Alexander Mogilny | The Power to Serve! | <> sg@portaone.com +---------------------+