From owner-freebsd-security  Sun Apr 19 13:30:20 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id NAA06160
          for freebsd-security-outgoing; Sun, 19 Apr 1998 13:30:20 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from fledge.watson.org (root@FLEDGE.RES.CMU.EDU [128.2.91.116])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id UAA06151
          for <freebsd-security@FreeBSD.ORG>; Sun, 19 Apr 1998 20:30:16 GMT
          (envelope-from robert@cyrus.watson.org)
Received: from trojanhorse.pr.watson.org (trojanhorse.pr.watson.org [192.0.2.10])
	by fledge.watson.org (8.8.8/8.8.8) with SMTP id QAA29744;
	Sun, 19 Apr 1998 16:29:46 -0400 (EDT)
Date: Sun, 19 Apr 1998 16:29:31 -0400 (EDT)
From: Robert Watson <robert@cyrus.watson.org>
X-Sender: robert@trojanhorse.pr.watson.org
Reply-To: Robert Watson <robert+freebsd@cyrus.watson.org>
To: John-Mark Gurney <gurney_j@resnet.uoregon.edu>
cc: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca>,
        Philippe Regnauld <regnauld@deepo.prosa.dk>,
        freebsd-security@FreeBSD.ORG
Subject: Re: kernel permissions
In-Reply-To: <19980419130711.01465@hydrogen.nike.efn.org>
Message-ID: <Pine.BSF.3.96.980419161203.18223G-100000@trojanhorse.pr.watson.org>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk

On Sun, 19 Apr 1998, John-Mark Gurney wrote:

> you know, there is a security hole in the /etc/rc scripts...
> 
> inetd is run before the /etc/rc scripts are finished, which means that
> there is a [significant] amount of time where inetd is started but the
> machine hasn't raised the securelevel of the system... this can be
> compounded if you have atalk on the system as it will take a while to
> start up making the window all that much larger...

My feeling was that the secure level needed to be raised before a number
of the daemons start to prevent any racing conditions, and hence having a
number of securelevels, gradually increasing the restrictions on the
system as possible during the boot process (i.e., as soon as ipfw is
configured correctly, disallow modification of ipfw settings, etc).

Would using multiple rc scripts be desirable, or should we just have...

rc:
...
(trusted daemons)
# bump securelevel
sysctl -w kern.securelevel=2
...
(less trusted daemons)
# bump securelevel
sysctl -w kern.securelevel=3
...
(least trusted daemons)

And so on.

  Robert N Watson 


----
Carnegie Mellon University  http://www.cmu.edu/
Trusted Information Systems http://www.tis.com/
SafePort Network Services   http://www.safeport.com/
robert@fledge.watson.org    http://www.watson.org/~robert/


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe security" in the body of the message