Subject: Re: LKM's shouldn't be allowed to be loaded in multiuser mode.
To: Bakul Shah <email@example.com>
From: Ken Hornstein <firstname.lastname@example.org>
Date: 03/18/1995 22:37:25
>> you have to pay something for security. to have the concept of
>> securelevel, it means that you lose somethings that are otherwise
>> doable. this includes the ability to load extra modules as you
>> want. if you want to be able to do this, then you have to give
>> up the extra security that securelevel gives you. the ability to
>> load *any* random code into the kernel means you've got the
>> ability to do anything to the system. securelevel is supposed to
>> stop you from having that -- no write access to /dev/k?mem, or to
>> the disk devices while securelevel > 0.
>(I think) I understand the *concept* of securelevel; but to
>make your system really secure you also then have to
>disallow auto reboot of any sort because otherwise the bad
>guy can become root, change /etc/rc etc. and reboot such
>that the next time around securelevel is -1. You have to
>make sure the bad guy does not set things up so that his LKM
>is loaded the next time around because it can defeat
>securelevel by directly reading/writing memory. He can even
>modify the kernel binary to change securelevel. I am sure
>there are many other nasty things one can find to do **if
>you assume one can somehow become root**.
I believe that in a secure environment you should make the kernel and the
/etc/rc* files immutable, so even if a bad guy does get root they can't modify
these files. Unfortunately, that does make it so you have to go to single
user to modify these files, which can be a drag at times.
Disclaimer: I run at securelevel = -1, for a couple of reasons.