Subject: Re: security sysctl? (was: r/o filesystem restrictions for firewall?)
To: None <>
From: None <>
List: tech-kern
Date: 10/25/2000 21:14:11
Does securelevel 2 prevent you from mounting any new devices as well?

i.e. can I vnconfig and mount that file?


>On Wed, Oct 25, 2000 at 08:39:00AM +0200, Thomas Michael Wanka wrote:
>> On 24 Oct 2000, at 15:01, Allen Briggs wrote:
>> > Downgrading from highly secure mode to insecure mode (that is,
>> > to
>> >            single-user mode) always requires the root password to be
>> > entered
>> >            on the console, whether the console is marked as 'secure'
>> >            in /etc/ttys or not.
>> Hi,
>> I thought a reboot into single-user mode was necessary.
>No, it's not; you can "kill 1" or "shutdown now" and drop to
>single-user mode with a shell on the console, but you won't get
>anywhere without entering the root password at that point.
>The intention is to enable you to build a device such as an embedded
>boot-from-flash router (the specific application I did this work
>for, in fact) that may have its serial console hooked up to a
>network somehow, e.g. by a console server; you *don't* want an
>attacker to be able to drop the machine from multiuser to singleuser
>mode (where securelevel = 0) and get a root shell, but you *do*
>want to be able to administer the damned thing, and you may not be
>*able* to reboot it in all cases (if you drop it to singleuser
>mode, it probably keeps routing packets.  If you reboot it, your
>network may develop a serious case of the hiccups).  Ergo, the
>present solution.
>The machines I did this work on ran at securelevel 2 with all
>filesystems mounted either read-only or (/tmp and bits of /var)
>read-write nodev nosuid noexec, so even if you get a root shell
>you probably can't get a new executable to run.  (Thus the "filesystems
>can not be remounted" rule) They had ipf rules that ensured that
>even if an attacker got onto the box somehow, he couldn't get
>packets *out* of it in a way that would disrupt any other services
>on the local network.  (Thus the "can't change the ipf lists" rule)
>They boot from CompactFlash cards (16MB) and provide nameservice,
>NTP service, an authenticating SSH gateway, and various other
>proxy-type services to the "inside" corporate network of one of my
>larger clients.  I did leave them tools to build new flash images
>but they don't seem to have remembered how to use them; no matter,
>almost two years later AFAIK the boxes are still running Fine with
>no security problems as yet.
>Thor Lancelot Simon	                            
>	the effort to perceive simply the cruel radiance of what is