Skip site navigation (1)Skip section navigation (2) 
Date:      Sun, 19 Apr 1998 13:07:11 -0700
From:      John-Mark Gurney <gurney_j@efn.org>
To:        Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>
Cc:        Robert Watson <robert+freebsd@cyrus.watson.org>, Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG
Subject:   Re: kernel permissions
Message-ID:  <19980419130711.01465@hydrogen.nike.efn.org>
In-Reply-To: <199804191941.MAA23123@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Sun, Apr 19, 1998 at 12:40:31PM -0700
References:  <Pine.BSF.3.96.980419132625.18223B-100000@trojanhorse.pr.watson.org> <199804191941.MAA23123@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Cy Schubert - ITSD Open Systems Group scribbled this message on Apr 19:
> The BSD kernel normally starts out at securelevel 0.  Once init has 
> initialized, e.g. run the rc scripts, the kernel automatically raises 
> the securelevel to 1 if it hasn't been raised to a higher securelevel.
> 
> Securelevel -1 is a special case.  If securelevel -1 is hard coded into 
> the kernel, as is done in FreeBSD, the kernel will not automatically 
> raise the securelevel.  In short, securelevel -1 tells the kernel to 
> leave the system at a securelevel 0 state permanently.

you know, there is a security hole in the /etc/rc scripts...

inetd is run before the /etc/rc scripts are finished, which means that
there is a [significant] amount of time where inetd is started but the
machine hasn't raised the securelevel of the system... this can be
compounded if you have atalk on the system as it will take a while to
start up making the window all that much larger...

-- 
  John-Mark Gurney                      Modem Rev/FAX: +1 541 346 9237
  Cu Networking					  P.O. Box 5693, 97405

  Live in Peace, destroy Micro$oft, support free software, run FreeBSD
	    Don't trust anyone you don't have the source for

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980419130711.01465>