Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 10 Jul 2006 15:45:34 +0200
From:      Andras Got <andrej@antiszoc.hu>
To:        freebsd-i386@freebsd.org
Subject:   Re: kernel secure level??
Message-ID:  <44B259FE.5060008@antiszoc.hu>
In-Reply-To: <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com>
References:  <20060709183758.55907.qmail@web42208.mail.yahoo.com>	<7403d2a30607100022s433489d1pce3260c383a73a5f@mail.gmail.com>	<op.tcg5bky5d5xf1l@localhost.foo-unix.arpa> <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 
Hi,

You should have read this (first page for "freebsd securelevel" with google): 
http://www.freebsd.org/doc/en/books/faq/security.html#SECURELEVEL

IMHO, You should never attempt to make patch, that can lower securelevel on any system. This would 
kill the base funcotionality of it. (Why would make any sense to turn it on, if anyone with root 
privs can turn it off...).

Securelevel two is good for production servers, level 3 are better for routers. On prod machine 
usually there is no need to change anything, that would be affected by securelevel.

Alexander Mogilny wrote:
> On 7/10/06, steve <steve@foo-unix.org> wrote:
>> Hi all,
>>
>> I found this very interesting. In FreeBSD, can you just
>> # sysctl kern.securelevel=-1
>> at the command line and step down securelevel in FreeBSD without 
>> rebooting?
>>
> 
> I have just read more documentation on sysctl values and found that
> kern.securelevel value is only available for increment. So it is
> impossible to decrease it after setting it to 2. The only way to do
> this is to change FreeBSD sources, this is an evil hack but still
> possible. :)
> To my opinion setting securelevel value to 2 means that this machine
> should be forgotten forever, untouchable and perform some core
> functionality. Such machines should be some kind of routers which are
> never rebooted and always online. My point here is that you should
> deeply analyze the structure of your network and create more
> structured server functionality so that you perform ipfilter
> configuration changes on some other machine with normal security
> level, of if this is improper for you perform some local sources
> modifications and implement patches making this sysctl values
> available for changing.
>

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?44B259FE.5060008>