From owner-freebsd-security Wed Oct 4 22:32:32 2000 Delivered-To: freebsd-security@freebsd.org Received: from jason.argos.org (a1-3a105.neo.rr.com [24.93.180.105]) by hub.freebsd.org (Postfix) with ESMTP id F24B037B502 for ; Wed, 4 Oct 2000 22:32:19 -0700 (PDT) Received: from localhost (mike@localhost) by jason.argos.org (8.10.1/8.10.1) with ESMTP id e955Qxl17940; Thu, 5 Oct 2000 01:27:02 -0400 Date: Thu, 5 Oct 2000 01:26:59 -0400 (EDT) From: Mike Nowlin To: Gabriel Ambuehl Cc: security@FreeBSD.ORG Subject: Re: Re[2]: BSD chpass (fwd) In-Reply-To: <12917380571.20001004204942@buz.ch> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > Wednesday, October 04, 2000, 12:08:59 PM, you wrote: > > of the script kid population). A really clever attacker would modify > > your securelevel settings in rc.conf, reboot the machine making it > > look like a panic or power surge > > What about setting schg for it as well? You'd just need to find a way > to change it yourself (not sure about it, but it should be changeable > in single user mode which is fortunately only controllable by the > console). Many moons ago, I was poking around in the securelevel "setting" code, and had an idea... (Ding!) How about some hardware flag (such as a bit on the game port connected to a one-shot 555 timer or something) that, when set, will allow you to lower the secure level w/o rebooting? Hit the button, the bit goes low, and you have 15 seconds to lower the securelevel before the bit goes high again and blocks the change (default action). Could also be wired to the (rather pointless) turbo switch that is still being put on a lot of cases... Yes? No? Stupid idea? --mike To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message