Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!news.ecn.uoknor.edu!news.cis.okstate.edu!newsfeed.ksu.ksu.edu!news.physics.uiowa.edu!math.ohio-state.edu!uwm.edu!spool.mu.edu!newshub.tc.umn.edu!fu-berlin.de!irz401!orion.sax.de!uriah.heep!news From: j@uriah.heep.sax.de (J Wunsch) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Is securitylevel implemented in FreeBSD? Date: 3 Aug 1996 19:59:04 GMT Organization: Private BSD site, Dresden Lines: 38 Message-ID: <4u0b28$qnk@uriah.heep.sax.de> References: <4tm7uk$1me@overload.lbl.gov> Reply-To: joerg_wunsch@uriah.heep.sax.de (Joerg Wunsch) NNTP-Posting-Host: localhost.heep.sax.de Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit X-Newsreader: knews 0.9.6 X-Phone: +49-351-2012 669 X-PGP-Fingerprint: DC 47 E6 E4 FF A6 E9 8F 93 21 E0 7D F9 12 D6 4E jin@gracie.lbl.gov (Jin Guojun[ITG]) wrote: > # sysctl kern.securelevel > kern.securelevel = -1 ??? should be = 1 ??? No, -1 is the ``permanently insecure mode'' (RTFM init(8)). > # sysctl -w kern.securelevel=5 > kern.securelevel: 2 -> 5 > > # cat > /etc/xxx > > The disk is still writeable. If I remember correctly, when the security > level is greater (higher) than 1, the entire system is read only. Aw, so what would you expect from a read-only operating system? Nope, that's not the goal. The _disks_ are no longer writeable, i.e. you cannot even disklabel them. Try (as root) to run disklabel -e on one of your disks, with only changing a minor and unimportant detail (like the RPM value). It should fail. Also, immutable and append-only files (RTFM chflags(1)) are supposed to work in the secure modi. (They work in the insecure mode as well, but root can turn the flags off.) FreeBSD has not been tested with securelevels other than 0. One thing i know will break is running the X server, since accessing the frame buffer through /dev/mem is forbidden then. (The NetBSD folks use a special driver as a backdoor to allow this.) Expect other things to break as well. -- cheers, J"org joerg_wunsch@uriah.heep.sax.de -- http://www.sax.de/~joerg/ -- NIC: JW11-RIPE Never trust an operating system you don't have sources for. ;-)