Date: Sun, 19 Apr 1998 13:07:11 -0700 From: John-Mark Gurney <gurney_j@efn.org> To: Cy Schubert - ITSD Open Systems Group <cschuber@uumail.gov.bc.ca> Cc: Robert Watson <robert+freebsd@cyrus.watson.org>, Philippe Regnauld <regnauld@deepo.prosa.dk>, freebsd-security@FreeBSD.ORG Subject: Re: kernel permissions Message-ID: <19980419130711.01465@hydrogen.nike.efn.org> In-Reply-To: <199804191941.MAA23123@cwsys.cwsent.com>; from Cy Schubert - ITSD Open Systems Group on Sun, Apr 19, 1998 at 12:40:31PM -0700 References: <Pine.BSF.3.96.980419132625.18223B-100000@trojanhorse.pr.watson.org> <199804191941.MAA23123@cwsys.cwsent.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Cy Schubert - ITSD Open Systems Group scribbled this message on Apr 19: > The BSD kernel normally starts out at securelevel 0. Once init has > initialized, e.g. run the rc scripts, the kernel automatically raises > the securelevel to 1 if it hasn't been raised to a higher securelevel. > > Securelevel -1 is a special case. If securelevel -1 is hard coded into > the kernel, as is done in FreeBSD, the kernel will not automatically > raise the securelevel. In short, securelevel -1 tells the kernel to > leave the system at a securelevel 0 state permanently. you know, there is a security hole in the /etc/rc scripts... inetd is run before the /etc/rc scripts are finished, which means that there is a [significant] amount of time where inetd is started but the machine hasn't raised the securelevel of the system... this can be compounded if you have atalk on the system as it will take a while to start up making the window all that much larger... -- John-Mark Gurney Modem Rev/FAX: +1 541 346 9237 Cu Networking P.O. Box 5693, 97405 Live in Peace, destroy Micro$oft, support free software, run FreeBSD Don't trust anyone you don't have the source for To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19980419130711.01465>