Subject: defeat securelevel
To: None <>
From: Roland McGrath <>
List: current-users
Date: 06/21/1994 21:16:46
If there is anyone else left in the world who would rather be insecure
than constantly annoyed, here is a loadable kernel module to set
securelevel to -1.  It actually provides a modicum of security in that
it refuses to be loaded when securelevel > 0 (so put it in /etc/rc.local).

Compile it with:

    cc -O2 -c -I/sys defeat-securelevel.c -o /etc/defeat-securelevel.o

and then put this in /etc/rc.local:

    modload -e insecure -o /etc/defeat-securelevel /etc/defeat-securelevel.o

You can unload it at any time with "modunload -n defeat-securelevel".
This will reset the securelevel to 0 (which you can also do with
sysctl).  (The only difference is that if you go to single user and
back, init will increase a securelevel of 0 to 1 but leave -1


/* Trivial loadable kernel module to defeat the "kernel security level".

   Written 21 Jun 94 by Roland McGrath.
   The author places this file in the public domain.

   The module can only be loaded at security level 0 (single user,
   /etc/rc); it does nothing but set the security level to -1.  It can
   be unloaded at any time, which will reset the level to 0 if it is
   still -1.  */

#define KERNEL
#include <sys/param.h>
#include <sys/systm.h>
#include <sys/conf.h>
#include <sys/exec.h>
#include <sys/lkm.h>

MOD_MISC ("defeat-securelevel")

static int
module_handle (struct lkm_table *lkmtp, int cmd)
  struct lkm_misc *args = lkmtp->private.lkm_misc;

  switch (cmd)
    case LKM_E_LOAD:
      if (lkmexists (lkmtp))
	return EEXIST;
      if (securelevel > 0)
	return EPERM;
      securelevel = -1;
      return 0;

    case LKM_E_UNLOAD:
      if (securelevel < 0)
	securelevel = 0;
      return 0;

      return EINVAL;

insecure (struct lkm_table *lkmtp,
	  int cmd,
	  int ver)