Subject: kern/17601: securelevel modification trough keybindings
To: None <>
From: Julio Merino <>
List: netbsd-bugs
Date: 07/15/2002 13:02:55
>Number:         17601
>Category:       kern
>Synopsis:       securelevel modification trough keybindings
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    kern-bug-people
>State:          open
>Class:          change-request
>Submitter-Id:   net
>Arrival-Date:   Mon Jul 15 04:02:01 PDT 2002
>Originator:     Julio Merino
>Release:        NetBSD 1.6D
System: NetBSD darkstar.local 1.6D NetBSD 1.6D (DARKSTAR) #40: Mon Jul 15 01:04:09 CEST 2002 jmmv@darkstar.local:/var/build/kernel/DARKSTAR i386
Architecture: i386
Machine: i386
	The following patch adds two new commands to the wskbd device. These
	commands, called SecurelevelUp and SecurelevelDown can be used to
	increase/decrease the securelevel trought the keyboard of a machine,
	from multiuser mode. They are bind to CTRL+ALT+F11/F12 by default on
	systems which use the pckbc device (wscons).

	First, talk about security considerations. You know, if anybody can
	have *physical* access to a machine, that machine won't be *secure*.
	Thus, this feature is not a big security hole as it is only useful if
	you have access to the machine keyboard. Also note that it has been
	made to be completely optional, that is, it only works if you enable
	WSKBD_DYNAMIC_SECURELEVEL in your kernel (disabled by default).

	Now you may ask... why is this useful? Well, consider a machine
	without monitor and without a serial console (you have no other
	machine close to it) but it can have a keyboard; this is my
	situation. I currently run the system in securelevel 1, but it's not
	of much use because I do not use schg flags or other "protected"
	things by this securelevel. Now, think you start changing flags and
	you protect the /netbsd kernel, mount some filesystems read only...
	How can you update your system? Or replace your kernel? The easiest
	way is to change the securelevel in rc.conf, *reboot*, do your
	changes, modify again rc.conf for the next boot, and change the
	securelevel by hand with sysctl. OTOH, you would take a monitor, plug
	it, boot in single user mode, do changes, reboot... Quite slow, eh?

	The solution I propose is this. You prepare everything for the
	upgrade trough the network (ssh), go to the system keyboard, press
	CTRL+ALT+F12 to decrease the securelevel, return to your ssh session,
	update things, use sysctl to return to the old securelevel (or use
	CTRL+ALT+F11). This should not be a security problem, and it's
	specially useful for "home" servers (like mine). And no reboots or
	boots to single user mode!

	It seems to me that this feature is more useful that a problem.

	SecurelevelUp is just provided for completeness... increasing the
	securelevel is always possible with sysctl.


Index: arch/i386/conf/GENERIC
RCS file: /cvsroot/syssrc/sys/arch/i386/conf/GENERIC,v
retrieving revision 1.501
diff -u -u -r1.501 GENERIC
--- GENERIC	2002/07/10 08:37:40	1.501
+++ GENERIC	2002/07/15 10:35:47
@@ -208,6 +208,8 @@
 # if you want a really secure system, it may be better not to enable them,
 # see wsmoused(8), section SECURITY CONSIDERATIONS for more info.
 #options 	WSDISPLAY_CHARFUNCS		# mouse console support
+# allow securelevel change trough keybindings (CTRL+ALT+(F11/F12))
 # Kernel root file system and dump configuration.
 config		netbsd	root on ? type ?
Index: dev/pckbc/wskbdmap_mfii.c
RCS file: /cvsroot/syssrc/sys/dev/pckbc/wskbdmap_mfii.c,v
retrieving revision 1.24
diff -u -u -r1.24 wskbdmap_mfii.c
--- wskbdmap_mfii.c	2002/06/20 21:03:19	1.24
+++ wskbdmap_mfii.c	2002/07/15 10:36:12
@@ -39,6 +39,8 @@
 #include <sys/cdefs.h>
 __KERNEL_RCSID(0, "$NetBSD: wskbdmap_mfii.c,v 1.24 2002/06/20 21:03:19 bouyer Exp $");
+#include "opt_wskbd_cmds.h"
 #include <sys/types.h>
 #include <dev/wscons/wsksymdef.h>
 #include <dev/wscons/wsksymvar.h>
@@ -131,8 +133,13 @@
     KC(81), 			KS_KP_Next,	KS_KP_3,
     KC(82), 			KS_KP_Insert,	KS_KP_0,
     KC(83), 			KS_KP_Delete,	KS_KP_Decimal,
-    KC(87), 			KS_f11,
-    KC(88), 			KS_f12,
+    KC(87),  KS_Cmd_SecurelevelUp, KS_f11,
+    KC(88),  KS_Cmd_SecurelevelDown, KS_f12,
+    KC(87),			KS_f11,
+    KC(88),  			KS_f12,
     KC(127),			KS_Pause, /* Break */
     KC(156),			KS_KP_Enter,
     KC(157),			KS_Control_R,
Index: dev/wscons/files.wscons
RCS file: /cvsroot/syssrc/sys/dev/wscons/files.wscons,v
retrieving revision 1.27
diff -u -u -r1.27 files.wscons
--- files.wscons	2002/07/02 12:59:39	1.27
+++ files.wscons	2002/07/15 10:36:14
@@ -24,6 +24,7 @@
 defparam opt_wsdisplay_compat.h	WSCOMPAT_USL_SYNCTIMEOUT
+defflag opt_wskbd_cmds.h	WSKBD_DYNAMIC_SECURELEVEL
 # this loses, but there's no way to define attributes which have attributes
 device	wsdisplay #tty?
Index: dev/wscons/wskbd.c
RCS file: /cvsroot/syssrc/sys/dev/wscons/wskbd.c,v
retrieving revision 1.61
diff -u -u -r1.61 wskbd.c
--- wskbd.c	2002/03/17 19:41:06	1.61
+++ wskbd.c	2002/07/15 10:36:15
@@ -88,6 +88,7 @@
 #include "opt_ddb.h"
 #include "opt_kgdb.h"
 #include "opt_wsdisplay_compat.h"
+#include "opt_wskbd_cmds.h"
 #include "wsdisplay.h"
 #include "wskbd.h"
@@ -1383,6 +1384,23 @@
 				    ksym == KS_Cmd_ContrastRotate ? 1 : 0);
 		return (1);
+	case KS_Cmd_SecurelevelUp:
+		if (securelevel > 0) {
+			securelevel--;
+			printf("wskbd: decreased securelevel to %d\n",
+			    securelevel);
+		}
+		return (1);
+	case KS_Cmd_SecurelevelDown:
+		if (securelevel < 2) {
+			securelevel++;
+			printf("wskbd: increased securelevel to %d\n",
+			    securelevel);
+		}
+		return (1);
 	return (0);
Index: dev/wscons/wsksymdef.h
RCS file: /cvsroot/syssrc/sys/dev/wscons/wsksymdef.h,v
retrieving revision 1.45
diff -u -u -r1.45 wsksymdef.h
--- wsksymdef.h	2002/04/23 13:42:46	1.45
+++ wsksymdef.h	2002/07/15 10:36:15
@@ -434,6 +434,8 @@
 #define KS_Cmd_ContrastUp	0xf429
 #define KS_Cmd_ContrastDown	0xf42a
 #define KS_Cmd_ContrastRotate	0xf42b
+#define KS_Cmd_SecurelevelUp	0xf42c
+#define KS_Cmd_SecurelevelDown	0xf42d