From owner-freebsd-i386@FreeBSD.ORG Mon Jul 10 13:44:35 2006 Return-Path: X-Original-To: freebsd-i386@freebsd.org Delivered-To: freebsd-i386@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id DE36F16A4DE for ; Mon, 10 Jul 2006 13:44:35 +0000 (UTC) (envelope-from andrej@antiszoc.hu) Received: from andrej.mine.nu (catv-d5debe68.catv.broadband.hu [213.222.190.104]) by mx1.FreeBSD.org (Postfix) with ESMTP id 70A8B43D46 for ; Mon, 10 Jul 2006 13:44:34 +0000 (GMT) (envelope-from andrej@antiszoc.hu) Message-ID: <44B259FE.5060008@antiszoc.hu> Date: Mon, 10 Jul 2006 15:45:34 +0200 From: Andras Got User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.2) Gecko/20060404 SeaMonkey/1.0.1 MIME-Version: 1.0 To: freebsd-i386@freebsd.org References: <20060709183758.55907.qmail@web42208.mail.yahoo.com> <7403d2a30607100022s433489d1pce3260c383a73a5f@mail.gmail.com> <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com> In-Reply-To: <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com> Content-Type: text/plain; charset=ISO-8859-2; format=flowed Content-Transfer-Encoding: 7bit Cc: Subject: Re: kernel secure level?? X-BeenThere: freebsd-i386@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: I386-specific issues for FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Jul 2006 13:44:35 -0000 Hi, You should have read this (first page for "freebsd securelevel" with google): http://www.freebsd.org/doc/en/books/faq/security.html#SECURELEVEL IMHO, You should never attempt to make patch, that can lower securelevel on any system. This would kill the base funcotionality of it. (Why would make any sense to turn it on, if anyone with root privs can turn it off...). Securelevel two is good for production servers, level 3 are better for routers. On prod machine usually there is no need to change anything, that would be affected by securelevel. Alexander Mogilny wrote: > On 7/10/06, steve wrote: >> Hi all, >> >> I found this very interesting. In FreeBSD, can you just >> # sysctl kern.securelevel=-1 >> at the command line and step down securelevel in FreeBSD without >> rebooting? >> > > I have just read more documentation on sysctl values and found that > kern.securelevel value is only available for increment. So it is > impossible to decrease it after setting it to 2. The only way to do > this is to change FreeBSD sources, this is an evil hack but still > possible. :) > To my opinion setting securelevel value to 2 means that this machine > should be forgotten forever, untouchable and perform some core > functionality. Such machines should be some kind of routers which are > never rebooted and always online. My point here is that you should > deeply analyze the structure of your network and create more > structured server functionality so that you perform ipfilter > configuration changes on some other machine with normal security > level, of if this is improper for you perform some local sources > modifications and implement patches making this sysctl values > available for changing. >