Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 1999-q3

FreeBSD Security Archives: Re: kern.securelevel and X

Re: kern.securelevel and X

Antoine Beaupre (beaupranIRO.UMontreal.CA)
Fri, 15 Oct 1999 12:53:39 -0400 (EDT)

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Next message: Garrett Wollman: "PAM module for Kerberos 5?"
Previous message: Ollivier Robert: "Re: FreeSSH"
In reply to: Bjoern Groenvall: "Re: FreeSSH"
Next in thread: Steve Reid: "Re: kern.securelevel and X"
Reply: Steve Reid: "Re: kern.securelevel and X"
Reply: Justin Wells: "Re: kern.securelevel and X"

The reference is man init:

"
     The kernel runs with four different levels of security. Any superuser
     process can raise the security level, but only init can lower it. The
     security levels are:

-1 Permanently insecure mode - always run the system in level 0 mode.
This is the default initial value.

0 Insecure mode - immutable and append-only flags may be turned off.
All devices may be read or written subject to their permissions.

     1 Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted filesystems, /dev/mem, and
           /dev/kmem may not be opened for writing.

     2 Highly secure mode - same as secure mode, plus disks may not be
           opened for writing (except by mount(2)) whether mounted or not.
           This level precludes tampering with filesystems by unmounting them,
           but also inhibits running newfs(8) while the system is multi-user.

     3 Network secure mode - same as highly secure mode, plus IP packet
           filter rules (see ipfw(8) and ipfirewall(4)) can not be changed
           and dummynet configuration can not be adjusted.
" (by the web manpages, 3.1-release)

So that's exactly it. X cannot write to mem or kmem.

I thought this was in securelevel 2, though.

I guess there is no way to run X in secure level > 0, right?

--- Big Brother told Mike Nowlin to write, at 00:39 of October 15:
>
> > Why I can't start X with kern.securelevel more than -1?
> >
> > When I attempt start X with kern.securelevel 1 or 2, startx crashed with
> > "KBENBIO (or like that): Operation not permitted"
>
> It's been a while since I read something about this, but let's see how
> good my memory is -- corrections welcomed.... :)
>
> When running with a >0 securelevel, X can't access the video memory due to
> security restrictions (probably something about letting a non-kernel
> process access any kind of I/O or memory port directly), so the X server
> can't talk to the video card -- boom.
>
> Am I right?
>
> mike
>
>
>
>
> To Unsubscribe: send mail to majordomoFreeBSD.org
> with "unsubscribe freebsd-security" in the body of the message

-- Si l'image donne l'illusion de savoir C'est que l'adage pretend que pour croire, L'important ne serait que de voir

Lofofora

To Unsubscribe: send mail to majordomoFreeBSD.org with "unsubscribe freebsd-security" in the body of the message

Next message: Garrett Wollman: "PAM module for Kerberos 5?"
Previous message: Ollivier Robert: "Re: FreeSSH"
In reply to: Bjoern Groenvall: "Re: FreeSSH"
Next in thread: Steve Reid: "Re: kern.securelevel and X"
Reply: Steve Reid: "Re: kern.securelevel and X"
Reply: Justin Wells: "Re: kern.securelevel and X"

This archive was generated by hypermail 2.0b3 on Fri Oct 15 1999 - 11:53:42 CDT