From owner-freebsd-security  Mon May  5 01:37:32 1997
Return-Path: <owner-security>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id BAA12468
          for security-outgoing; Mon, 5 May 1997 01:37:32 -0700 (PDT)
Received: from mail0.iij.ad.jp (mail0.iij.ad.jp [202.232.2.113])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id BAA12461
          for <freebsd-security@FreeBSD.org>; Mon, 5 May 1997 01:37:30 -0700 (PDT)
Received: from uucp3.iij.ad.jp (uucp3.iij.ad.jp [202.232.2.203]) by mail0.iij.ad.jp (8.8.5+2.7Wbeta5/3.5Wpl4-MAIL) with SMTP id RAA05939 for <freebsd-security@FreeBSD.org>; Mon, 5 May 1997 17:37:29 +0900 (JST)
Received: (from uucp@localhost) by uucp3.iij.ad.jp (8.6.12+2.4W/3.3W9-UUCP) with UUCP id RAA24729 for freebsd-security@FreeBSD.org; Mon, 5 May 1997 17:37:28 +0900
Received: (qmail 5999 invoked by uid 1000); 5 May 1997 08:37:12 -0000
Message-ID: <19970505083712.5998.qmail@reseau.toyonaka.osaka.jp>
Date: Mon, 5 May 1997 17:37:12 +0900 (JST)
From: Kenji Rikitake <kenji@reseau.toyonaka.osaka.jp>
X-Sender: kenji@reseau.reseau.rcac.tdi.co.jp
To: freebsd-security@FreeBSD.org
Subject: questions on 2.2.1-RELEASE default value for kern.securelevel
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Today I found that kern.securelevel of my 2.2.1-RELEASE-running machine
was -1. I decided to set it to 0 in /etc/rc so that it would be secured to
level 1 in the multi-user mode. This was successful but when I tried to
boot up XF86 server it failed because of the operation failure of
KDENABIO. So I checked out some kernel code and found that in
/sys/i386/isa/syscons.c the KDENABIO operation is prohibited when
kern.securelevel > 0.

Here's my questions:

1. Why the initial value of kern.securelevel is set to -1?
2. Why the KDENABIO operation is prohibited when kern.securelevel > 0?

Obviously patching out the kern.securelevel check in KDENABIO code will
run the XF86 server, but doing this may create a new vulnerability. I
would appreciate if a FreeBSD guru can answer me about this.

FYI my BSD/OS 2.0.1 runs Xaccel happily in kern.securelevel = 1. 
Why not on the FreeBSD?

Regards,

// Kenji Rikitake <kenji@reseau.toyonaka.osaka.jp> <kenji@rcac.tdi.co.jp>
// An equal opportunistic encryptor. WWW: http://www.nn.iij4u.or.jp/~kenji/