Subject: Re: kern/1967: securelevel should be patchable
To: James da Silva <>
From: Matthieu Herrb <>
List: netbsd-bugs
Date: 01/23/1996 23:25:16
You wrote (in your message from Tue 23)
 >  Jason Thorpe <>:
 >  > > I imagine that the current practice of putting it in the bss was done 
 >  > > specifically to prevent what you'd like to be able to do :-)
 >  Gordon Ross <>:
 >  > Perhaps, but that's a false security.
 >  > If I can modify the kernel, i'm in!
 > Yes!  Securelevel can be patched with a trivial program even when originally
 > in bss.  The kernel needs to be immutable to avoid this.

And so need the 'rc' scripts. If you can modify them, you can load a
LKM that patches securelevel or otherwise defeats it (like the i386
XFree86 aperture driver that I wrote...). 

I've allways thought that really enabling the 'securelevel 1' feature
is too constraining for the average users.