Subject: Re: LKM's shouldn't be allowed to be loaded in multiuser mode.
To: Bakul Shah <>
From: Ken Hornstein <>
List: tech-kern
Date: 03/18/1995 22:37:25
>> you have to pay something for security.  to have the concept of
>> securelevel, it means that you lose somethings that are otherwise
>> doable.  this includes the ability to load extra modules as you
>> want.  if you want to be able to do this, then you have to give
>> up the extra security that securelevel gives you.  the ability to
>> load *any* random code into the kernel means you've got the
>> ability to do anything to the system.  securelevel is supposed to
>> stop you from having that -- no write access to /dev/k?mem, or to
>> the disk devices while securelevel > 0.
>(I think)  I understand the *concept* of securelevel; but to
>make your system really secure you also then have to
>disallow auto reboot of any sort because otherwise the bad
>guy can become root, change /etc/rc etc. and reboot such
>that the next time around securelevel is -1.  You have to
>make sure the bad guy does not set things up so that his LKM
>is loaded the next time around because it can defeat
>securelevel by directly reading/writing memory.  He can even
>modify the kernel binary to change securelevel.  I am sure
>there are many other nasty things one can find to do **if
>you assume one can somehow become root**.

I believe that in a secure environment you should make the kernel and the
/etc/rc* files immutable, so even if a bad guy does get root they can't modify
these files.  Unfortunately, that does make it so you have to go to single
user to modify these files, which can be a drag at times.

Disclaimer: I run at securelevel = -1, for a couple of reasons.