Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
To: None <email@example.com>
From: None <firstname.lastname@example.org>
Date: 10/25/2000 21:14:11
Does securelevel 2 prevent you from mounting any new devices as well?
i.e. can I vnconfig and mount that file?
>On Wed, Oct 25, 2000 at 08:39:00AM +0200, Thomas Michael Wanka wrote:
>> On 24 Oct 2000, at 15:01, Allen Briggs wrote:
>> > Downgrading from highly secure mode to insecure mode (that is,
>> > to
>> > single-user mode) always requires the root password to be
>> > entered
>> > on the console, whether the console is marked as 'secure'
>> > in /etc/ttys or not.
>> I thought a reboot into single-user mode was necessary.
>No, it's not; you can "kill 1" or "shutdown now" and drop to
>single-user mode with a shell on the console, but you won't get
>anywhere without entering the root password at that point.
>The intention is to enable you to build a device such as an embedded
>boot-from-flash router (the specific application I did this work
>for, in fact) that may have its serial console hooked up to a
>network somehow, e.g. by a console server; you *don't* want an
>attacker to be able to drop the machine from multiuser to singleuser
>mode (where securelevel = 0) and get a root shell, but you *do*
>want to be able to administer the damned thing, and you may not be
>*able* to reboot it in all cases (if you drop it to singleuser
>mode, it probably keeps routing packets. If you reboot it, your
>network may develop a serious case of the hiccups). Ergo, the
>The machines I did this work on ran at securelevel 2 with all
>filesystems mounted either read-only or (/tmp and bits of /var)
>read-write nodev nosuid noexec, so even if you get a root shell
>you probably can't get a new executable to run. (Thus the "filesystems
>can not be remounted" rule) They had ipf rules that ensured that
>even if an attacker got onto the box somehow, he couldn't get
>packets *out* of it in a way that would disrupt any other services
>on the local network. (Thus the "can't change the ipf lists" rule)
>They boot from CompactFlash cards (16MB) and provide nameservice,
>NTP service, an authenticating SSH gateway, and various other
>proxy-type services to the "inside" corporate network of one of my
>larger clients. I did leave them tools to build new flash images
>but they don't seem to have remembered how to use them; no matter,
>almost two years later AFAIK the boxes are still running Fine with
>no security problems as yet.
>Thor Lancelot Simon email@example.com
> the effort to perceive simply the cruel radiance of what is