From owner-freebsd-security Mon May 5 01:37:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id BAA12468 for security-outgoing; Mon, 5 May 1997 01:37:32 -0700 (PDT) Received: from mail0.iij.ad.jp (mail0.iij.ad.jp [202.232.2.113]) by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA12461 for ; Mon, 5 May 1997 01:37:30 -0700 (PDT) Received: from uucp3.iij.ad.jp (uucp3.iij.ad.jp [202.232.2.203]) by mail0.iij.ad.jp (8.8.5+2.7Wbeta5/3.5Wpl4-MAIL) with SMTP id RAA05939 for ; Mon, 5 May 1997 17:37:29 +0900 (JST) Received: (from uucp@localhost) by uucp3.iij.ad.jp (8.6.12+2.4W/3.3W9-UUCP) with UUCP id RAA24729 for freebsd-security@FreeBSD.org; Mon, 5 May 1997 17:37:28 +0900 Received: (qmail 5999 invoked by uid 1000); 5 May 1997 08:37:12 -0000 Message-ID: <19970505083712.5998.qmail@reseau.toyonaka.osaka.jp> Date: Mon, 5 May 1997 17:37:12 +0900 (JST) From: Kenji Rikitake X-Sender: kenji@reseau.reseau.rcac.tdi.co.jp To: freebsd-security@FreeBSD.org Subject: questions on 2.2.1-RELEASE default value for kern.securelevel MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk Today I found that kern.securelevel of my 2.2.1-RELEASE-running machine was -1. I decided to set it to 0 in /etc/rc so that it would be secured to level 1 in the multi-user mode. This was successful but when I tried to boot up XF86 server it failed because of the operation failure of KDENABIO. So I checked out some kernel code and found that in /sys/i386/isa/syscons.c the KDENABIO operation is prohibited when kern.securelevel > 0. Here's my questions: 1. Why the initial value of kern.securelevel is set to -1? 2. Why the KDENABIO operation is prohibited when kern.securelevel > 0? Obviously patching out the kern.securelevel check in KDENABIO code will run the XF86 server, but doing this may create a new vulnerability. I would appreciate if a FreeBSD guru can answer me about this. FYI my BSD/OS 2.0.1 runs Xaccel happily in kern.securelevel = 1. Why not on the FreeBSD? Regards, // Kenji Rikitake // An equal opportunistic encryptor. WWW: http://www.nn.iij4u.or.jp/~kenji/