Date: Fri, 27 Oct 2023 03:34:28 +0100 From: void <void@f-m.fm> To: freebsd-security@freebsd.org Subject: Re: securelevel 1 Message-ID: <ZTshtJvtxipTsf2B@int21h> In-Reply-To: <86ttqd12y1.fsf@ltc.des.no> References: <ZTeaGFZjvcsKfbOW@int21h> <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org> <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz> <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com> <86ttqd12y1.fsf@ltc.des.no>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Oct 26, 2023 at 11:36:22PM +0200, Dag-Erling Smørgrav wrote: >void <void@f-m.fm> writes: >> In order to accomplish what I'd like, I understand that I'd need to set +schg >> on the individual logs, then set the securelevel afterwards and reboot. > >If you set the log file +schg, it can't be written to at all. That's >obviously not what you want. Yes, I'm sorry; I meant to type +sappnd >If you set it +sappnd, it can be written to, and newsyslog will be able >to rotate it; an attacker with superuser privileges will also be able to >replace it with a doctored file. Yes. But if sappend is set on the required files, and then securelevel=1 is set, then nothing can change the flag while the system is multiuser. That is, if I'm understanding correctly? So, on such a system, if I understand correctly, newsyslog would need to be turned off. Am I correct in understanding that securelevel could be lowered to -1 while in single user mode (for eg the purposes of upgrading); one would have to comment out the securelevel variables in rc.conf before booting multiuser? newsyslog could be run on that occasion, then securelevel set to 1 again. >There is no way to allow one without the other. The usual solution is >to log to a remote machine. That's planned. --
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?ZTshtJvtxipTsf2B>