Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!nntp.coast.net!lll-winken.llnl.gov!uwm.edu!math.ohio-state.edu!cs.utexas.edu!howland.erols.net!vixen.cso.uiuc.edu!newsfeed.internetmci.com!in2.uu.net!01-newsfeed.univie.ac.at!news.cesnet.cz!voskovec.radio.cz!news.uni-stuttgart.de!news.urz.uni-heidelberg.de!rz.uni-karlsruhe.de!not-for-mail From: uk1o@rzstud2.rz.uni-karlsruhe.de (Felix Schroeter) Newsgroups: comp.unix.bsd.freebsd.misc Subject: Re: Is securitylevel implemented in FreeBSD? Date: 7 Aug 1996 19:07:44 +0200 Organization: University of Karlsruhe, Germany Lines: 47 Message-ID: <4uaih0$jdu@rzstud2.rz.uni-karlsruhe.de> References: <4tm7uk$1me@overload.lbl.gov> <320328FC.32C8@cet.co.jp> NNTP-Posting-Host: rzstud2.rz.uni-karlsruhe.de Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit NNTP-Posting-User: uk1o Hello! In article <320328FC.32C8@cet.co.jp>, Michael Hancock <michaelh@cet.co.jp> wrote: >Jin Guojun[ITG] wrote: >> I have a question on setting securitylevel under FreeBSD. Here is what I did: >> # sysctl kern.securelevel >> kern.securelevel = -1 ??? should be = 1 ??? >Maybe, but it would confuse a lot of people, "I'm root but I >can't install a new kernel, what's chflags and why doesn't it >work". ??? You don't *need* to install /kernel with flags schg... >> # sysctl -w kern.securelevel=2 >> kern.securelevel: -1 -> 2 >> #cat > /etc/xxx >> # sysctl -w kern.securelevel=5 >> kern.securelevel: 2 -> 5 >> # cat > /etc/xxx >> The disk is still writeable. If I remember correctly, when the security >> level is greater (higher) than 1, the entire system is read only. >Making /etc read-only not possible anyway. You wouldn't be able >to run your system. >The kernel has "Permanently secure mode" compiled into it. >"Secure mode" would be a good mode of operation, but you'll have >to figure out how to get kern.securemode= -1 from being compiled >in. Edit /usr/src/sys/kern/kern_sysctl.c, find the definition of int securelevel = -1; and change the '-1' to '0' (w/o the quotes, of course). Recompile the kernel and install it. >Mike Hancock Regards, Felix.