From owner-freebsd-hackers Sun Sep 5 22:24:38 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from eclogite.eps.nagoya-u.ac.jp (eclogite.eps.nagoya-u.ac.jp [133.6.124.145]) by hub.freebsd.org (Postfix) with ESMTP id 7297A156C7; Sun, 5 Sep 1999 22:24:24 -0700 (PDT) (envelope-from kato@ganko.eps.nagoya-u.ac.jp) Received: from localhost (gneiss.eps.nagoya-u.ac.jp [133.6.124.148]) by eclogite.eps.nagoya-u.ac.jp (8.9.3/3.7W) with ESMTP id OAA28405; Mon, 6 Sep 1999 14:24:13 +0900 (JST) To: bde@zeta.org.au Cc: freebsd-hackers@FreeBSD.ORG, freebsd-security@FreeBSD.ORG Subject: Re: Init(8) cannot decrease securelevel From: KATO Takenori In-Reply-To: Your message of "Mon, 6 Sep 1999 15:13:48 +1000" <199909060513.PAA12402@godzilla.zeta.org.au> References: <199909060513.PAA12402@godzilla.zeta.org.au> X-Mailer: Mew version 1.93 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA) X-PGP-Fingerprint: 03 72 85 36 62 46 23 03 52 B1 10 22 44 10 0D 9E Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Message-Id: <19990906142342F.kato@gneiss.eps.nagoya-u.ac.jp> Date: Mon, 06 Sep 1999 14:23:42 +0900 X-Dispatcher: imput version 980905(IM100) Lines: 36 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Bruce Evans wrote: > There used to be security holes that allowed root to lower `securelevel' > using init. Rev.1.9 defends against any undiscovered holes. How about following change? ---------- *** init.8.ORIG Mon Sep 6 14:20:46 1999 --- init.8 Mon Sep 6 14:23:01 1999 *************** *** 92,99 **** .Dq secure . .Pp The kernel runs with four different levels of security. ! Any super-user process can raise the security level, but only ! .Nm can lower it. The security levels are: .Bl -tag -width flag --- 92,98 ---- .Dq secure . .Pp The kernel runs with four different levels of security. ! Any super-user process can raise the security level, but no process can lower it. The security levels are: .Bl -tag -width flag ---------- -----------------------------------------------+--------------------------+ KATO Takenori | FreeBSD | Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! | Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ | ++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/| ++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message