search for: securelevel

has anyone played with the securelevel variable in the kernel and the immutable flags in the ext2 file system? The only way I have found to change the flag is by patching sched.c from int securelevel=0 to int securelevel=1 The sysctrl code seems to allow the setting of the flag only by init (PID=1) and only upwards (0->1, etc). T...

I've read about securelevel in the mailing list archive, and found some pitfalls (and seems to me to be discarded soon). But According to me, the following configuration should offer a good security: - mount root fs read only at boot; - set securelevel to 3; - do not permit to unmount/remount roots fs read-write (now it is...

running (4-Stable) Hi, short form question: how does one run XDM under securelevel>0 ? long version: i've searched for an answer on how to run Xfree/Xorg at a securelevel the X server likes access to /dev/io and some other resources but is not granted access after security is switched on. one way of doing it seems to be to start it before setting the securelevel, but then...

> > systems which no longer seem to have this. This file contained an archive of > > the trojan''s that were inserted into the compromised system - does anybody know > > what is in these trojans? > > Check the Linux RootKit ... (LRK).. > > Typically LRK to use config-files.. (and typically LRK-users to place > files in /dev.. find /dev -type f | grep -v

I'm currently administering a machine about 1500mi from me with nobody local to the machine to assist me. Anyways, my only access to this machine is via SSH, no remote serial console or anything. When I try to do a "make installworld" I end up with install: rename: /lib/INS@aTxk to /lib/libcrypt.so.3: Operation not permitted very shortly thereafter. I cannot boot

...Due to a 4.4BSD VM system problem, it is possible to memory-map a read-only descriptor to a character device in read-write mode. III. Impact The hole can be used by members of group kmem to gain superuser privileges. It also allows the superuser to lower the system securelevel. IV. Workaround No workaround is known. V. Solution Apply one of the following patches, rebuild your kernel, install it and reboot your system. The patches below can be found on ftp://ftp.freebsd.org/pub/CERT/patches/SA-98:02/ Patch for 3.0-current systems: I...

Thanks for the module, I think its a good idea to commit it to FreeBSD for a few reasons: 1) Some folks just prefer more static kernels. 2) Securelevel is a great thing, but can be a pain to do upgrades around remotely. [A lot of folks use FreeBSD simply because its a breeze to run remotely]. 3) Until someone writes code to add modules to a kernel via /dev/mem and releases it to the script kiddie world, the bar has been effectively raised for...

Hi all, I moved from 8.0-RELEASE to last week's -STABLE: $ uname -v FreeBSD 8.1-STABLE #0: Thu Sep 2 16:38:02 SAST 2010 root@XXXXX:/usr/obj/usr/src/sys/GENERIC and all seems well except my network card is unusable. On boot up: em0: <Intel(R) PRO/1000 Network Connection 7.0.5> port 0x3040-0x305f mem 0xe3200000-0xe321ffff,0xe3220000-0xe3220fff irq 10 at device 25.0 on pci0 em0: Setup

...virtual machine, can overflow a buffer in the kernel and bypass access control checks placed on the abilities of the superuser. These include the ability to "break out" of the jail environment (jail is often used as a compartmentalization tool for security purposes), to lower the system securelevel without requiring a reboot, and to introduce new (possibly malicious) code into the kernel on systems where loading of KLDs (kernel loadable modules) has been disabled. III. Impact 1) On vulnerable FreeBSD 4.x systems where procfs is mounted, unprivileged local users can obtain root privileges....

...nte /root cuaa1# man init |tail -n 130 |head -n 5 3 Network secure mode - same as highly secure mode, plus IP packet filter rules (see ipfw(8) and ipfirewall(4)) cannot be changed and dummynet(4) configuration cannot be adjusted. root@vigilante /root cuaa1# sysctl -a |grep secure kern.securelevel: 3 root@vigilante /root cuaa1# ipfw show 00100 0 0 allow ip from any to any via lo0 00200 0 0 deny ip from any to 127.0.0.0/8 00300 0 0 deny ip from 127.0.0.0/8 to any 65535 44 3648 deny ip from any to any root@vigilante /root cu...

...> > You can reach the person managing the list at > freebsd-security-owner@freebsd.org > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of freebsd-security digest..." > > > Today's Topics: > > 1. X & securelevel=3 (bofn) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Sat, 29 May 2004 05:43:23 +0200 > From: "bofn" <bofn@irq.org> > Subject: X & securelevel=3 > To: freebsd-security@freebsd.org > Message-ID:...

Hi, I'm running 4.8-STABLE but I'm having some problems installing a new kernel. (in /usr/src make installkernel). mv /kernel /kernel.old operation not permitted My securelevel is currently set to -1 (kern_securelevel=-1) and kern_securelevel_enable="NO" I have already executed chflags noschg /kernel and /kernel.old (while in single user mode). What am I missing? Thanks. -------------- next part -------------- A non-text attachment was scrubbed... Name: smime....

Alexander O. Yuriev wrote: > > Your message dated: Wed, 20 Nov 1996 18:04:39 EST > > >has anyone played with the securelevel variable in the kernel and the > > >immutable flags in the ext2 file system? > > > > Yes, and its actualy quite nice. > > > > >The sysctrl code seems to allow the setting of the flag > > >only by init (PID=1) and only upwards (0->1, etc). > &gt...

...tamiraad drwxr-xr-x 6 tsgan tsgan 1024 Dec 16 17:51 tsgan drwx------ 4 tugstugi unix 512 Dec 13 20:34 tugstugi drwxr-xr-x 5 unix unix 512 Dec 13 12:37 unix ... User should log on as new with password new to create an account. Accounting is enabled and kern.securelevel is set to 2. Only one account 'tsgan' is in wheel group and only tsgan gan become root using su. Following is the some strange output from grave-robber (coroner toolkit): ... Dec 13 04 20:18:40 5 m.c -rw-rw---- tugstugi smmsp /var/spool/clientmqueue/dfiBDCIeD0001529 Dec 13 04 2...

Hi, is there any chance (if yes, how to do this?) to use the xf86 driver which "provides access to the memory and I/O ports of a VGA board and to the PCI configuration registers for use by the X servers when running with a kernel security level greater than 0" in FreeBSD*? Then it will be possible to start X environment with a kernel secure level > 0, right? Normally it is impossible

I am thinking about writing some sort of deamon which signs syslog files with PGP. This should help dedecting unauthorised changes in the syslog files. What I have in mind works as follows: Whenever a new line is added to a syslog file the existing syslog file checked against the privious made signature. If the file passes this test, the new line(s) is/are added. Then a new signature is

...eived: (from jimd@localhost) by antares.starshine.org (8.8.3/8.8.3) id QAA22488; Tue, 26 Nov 1996 16:53:20 -0800 From: Jim Dennis <jimd@starshine.org> Approved: alex@bach.cis.temple.edu Message-Id: <199611270053.QAA22488@antares.starshine.org> Subject: Re: [linux-security] chattr +i and securelevel To: linux-security@redhat.com Date: Tue, 26 Nov 1996 16:53:19 -0800 (PST) In-Reply-To: <199611210849.JAA00445@cave.et.tudelft.nl> from "Rogier Wolff" at Nov 21, 96 09:49:53 am Content-Type: text [Mod: Subject changed and a part about modules removed. Also, if people have comments,...

Hello, I was wondering if it was possible to limit user access on /proc without having to use securelevels. For some reason chmod 751 /proc (or 750) does nothing. Is this possible on FreeBSD 4.9 ? Can't find anything about it in the manual pages. Just want to prevent lusers from running: for file in /proc/*/cmdline; do cat $file; echo; done Greetz, Jimmy Scott

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================================= FreeBSD-SA-06:25.kmem Security Advisory The FreeBSD Project Topic: Kernel memory disclosure in firewire(4) Category: core Module: sys_dev Announced:

...ets (it uses default ruleset 65335 locking out everything). I have to do "sh /etc/ipfw.rules" in order to load the rulesets, once I did that, I can access the box from remote locations here is my rc.conf: host# more /etc/rc.conf network_interfaces="lo0 em0 dc0 rl0 plip0" kern_securelevel="2" kern_securelevel_enable="YES" linux_enable="YES" named_enable="YES" nisdomainname="NO" sshd_enable="YES" usbd_enable="YES" hostname="sis" tcp_keepalive="YES" tcp_extensions="YES" ifconfig_em0=&qu...