Subject: Re: kern/1967: securelevel should be patchable
To: James da Silva <email@example.com>
From: Matthieu Herrb <firstname.lastname@example.org>
Date: 01/23/1996 23:25:16
You wrote (in your message from Tue 23)
> Jason Thorpe <email@example.com>:
> > > I imagine that the current practice of putting it in the bss was done
> > > specifically to prevent what you'd like to be able to do :-)
> Gordon Ross <firstname.lastname@example.org>:
> > Perhaps, but that's a false security.
> > If I can modify the kernel, i'm in!
> Yes! Securelevel can be patched with a trivial program even when originally
> in bss. The kernel needs to be immutable to avoid this.
And so need the 'rc' scripts. If you can modify them, you can load a
LKM that patches securelevel or otherwise defeats it (like the i386
XFree86 aperture driver that I wrote...).
I've allways thought that really enabling the 'securelevel 1' feature
is too constraining for the average users.