Date: Mon, 10 Jul 2006 16:24:43 +0300 From: "Alexander Mogilny" <sg@astral.ntu-kpi.kiev.ua> To: steve <steve@foo-unix.org> Cc: freebsd-i386@freebsd.org Subject: Re: kernel secure level?? Message-ID: <7403d2a30607100624h9d33c5bsfe647d08cc4b6f99@mail.gmail.com> In-Reply-To: <op.tcg5bky5d5xf1l@localhost.foo-unix.arpa> References: <20060709183758.55907.qmail@web42208.mail.yahoo.com> <7403d2a30607100022s433489d1pce3260c383a73a5f@mail.gmail.com> <op.tcg5bky5d5xf1l@localhost.foo-unix.arpa>
next in thread | previous in thread | raw e-mail | index | archive | help
On 7/10/06, steve <steve@foo-unix.org> wrote: > Hi all, > > I found this very interesting. In FreeBSD, can you just > # sysctl kern.securelevel=-1 > at the command line and step down securelevel in FreeBSD without rebooting? > I have just read more documentation on sysctl values and found that kern.securelevel value is only available for increment. So it is impossible to decrease it after setting it to 2. The only way to do this is to change FreeBSD sources, this is an evil hack but still possible. :) To my opinion setting securelevel value to 2 means that this machine should be forgotten forever, untouchable and perform some core functionality. Such machines should be some kind of routers which are never rebooted and always online. My point here is that you should deeply analyze the structure of your network and create more structured server functionality so that you perform ipfilter configuration changes on some other machine with normal security level, of if this is improper for you perform some local sources modifications and implement patches making this sysctl values available for changing. -- AIM-UANIC +-----[ FreeBSD ]-----+ Alexander Mogilny | The Power to Serve! | <> sg@portaone.com +---------------------+
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7403d2a30607100624h9d33c5bsfe647d08cc4b6f99>