Return to BSD News archive
Path: euryale.cc.adfa.oz.au!newshost.carno.net.au!harbinger.cc.monash.edu.au!munnari.OZ.AU!spool.mu.edu!howland.reston.ans.net!nntp.coast.net!news.kei.com!newsfeed.internetmci.com!in3.uu.net!EU.net!sun4nl!cs.ruu.nl!edwin
From: edwin@cs.ruu.nl (Edwin Kremer)
Newsgroups: comp.unix.bsd.freebsd.misc
Subject: Re: Is securitylevel implemented in FreeBSD?
Date: 2 Aug 1996 14:52:06 GMT
Organization: Dept of Computer Science, Utrecht University, The Netherlands
Lines: 48
Message-ID: <4tt4mm$i0d@krant.cs.ruu.nl>
References: <4tm7uk$1me@overload.lbl.gov>
NNTP-Posting-Host: magic.cs.ruu.nl
X-Newsreader: NN version 6.5.0 #7 (NOV)
In <4tm7uk$1me@overload.lbl.gov> jin@gracie.lbl.gov (Jin Guojun[ITG]) writes:
| # sysctl kern.securelevel
| kern.securelevel = -1 ??? should be = 1 ???
It's OK. Shouldn't be 1. This is the "permanent insecure mode" which tells
the kernel to always run on "level 0" mode. Otherwise, the normal behaviour
would be: leven 0 in single-user mode and level 1 in multi-user mode.
| # sysctl -w kern.securelevel=5
| kern.securelevel: 2 -> 5
|
| The disk is still writeable. If I remember correctly, when the security
| level is greater (higher) than 1, the entire system is read only.
Not really. This is how it works.
0 insecure mode - immutable and append-only flags make be turned off.
All devices may be read or written subject to permission modes.
1 secure mode - immutable and append-only flags may not be changed;
raw disks of mounted filesystems, /dev/mem, and /dev/kmem are read-only.
2 highly secure mode - same as (1) plus raw disks are always read-only
whether mounted or not. This level precludes tampering with filesystems
by unmounting them, but also inhibits running newfs while the system is
secured.
Check the kernel sources for more info. As an alternative, I can recommend
this book:
title : The Design and Implementation of the 4.4BSD Operating System
author : Marshall Kirk McKusick, Keith Bostic, Michael J. Karels and
John S. Quarterman
publisher: Addison-Wesley
ISBN : 0-201-54979-4
These security features (that just add up to other good things) makes
4.4BSD OS'ses my platform of choice for building network firewalls on.
May the source be with you!
best regards,
--[ Edwin ]--
--
Edwin H. Kremer, systems- and network administrator. <edwin.kremer@cs.ruu.nl>
Dept. of Computer Science, Utrecht University, The Netherlands [WHOIS: ehk3]
-------------------- http://www.cs.ruu.nl/people/edwin/ -----------------------