OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
FreeBSD Security Archives: Re: Init(8) cannot decrease securele

Re: Init(8) cannot decrease securelevel

KATO Takenori (katoganko.eps.nagoya-u.ac.jp)
Tue, 07 Sep 1999 14:00:16 +0900

Matthew Dillon <dillonapollo.backplane.com> wrote:

> I disagree quite strongly. DDB provides a mechanism to allow a
> sysadmin to obtain a greater amount of information from a panic
> situation then he could get otherwise. Being able to obtain this
> information does not run counter to running with a raised securelevel.
>
> If the system winds up in a state where a kernel core cannot be
> generated, DDB is the only way to figure out what is going on.
> securelevel is a mechanism which attempts to guarentee data security,
> at least to a degree. These two items do not clash.

If console works and crackers can use it, protecting securelevel from
DDB does not provide enough security. Though securelevel cannot be
changed,

        (1) Turn off power.
        (2) Boot as single-user mode.
        (3) Do what crackers want.

or

        (1) Turn off power.
        (2) Remove HDD.
        (3) Mount on another FreeBSD box.
        (4) Edit a file in the HDD.
        (5) Return HDD.
        (6) Reboot.

is available.

-----------------------------------------------+--------------------------+
KATO Takenori <katoganko.eps.nagoya-u.ac.jp> | FreeBSD |
Dept. Earth Planet. Sci, Nagoya Univ. | The power to serve! |
Nagoya, 464-8602, Japan | http://www.FreeBSD.org/ |
++++ FreeBSD(98) 3.2: Rev. 01 available! |http://www.jp.FreeBSD.org/|
++++ FreeBSD(98) 2.2.8: Rev. 02 available! +==========================+

To Unsubscribe: send mail to majordomoFreeBSD.org
with "unsubscribe freebsd-security" in the body of the message

This archive was generated by hypermail 2.0b3 on Tue Sep 07 1999 - 00:06:50 CDT