Subject: Re: [ADVISORY] 4.4BSD Securelevels (fwd)
To: None <thorpej@nas.nasa.gov>
From: Andrew Brown <codewarrior@daemon.org>
List: current-users
Date: 06/26/1997 00:26:21
> > should we also consider that if you can get console access to a
> > machine that has ddb in the kernel, it's trivial to set the
> > securelevel to something arbitrary?
>
>I think that's a fairly well-known thing :-) If you can get access to
>the console, the system isn't all that secure, anyhow. Heck, removing
>the power cord is an effective DOS attack :-)
let's not be too kind, after all, *running* dos is an effective dos
attack. :P
>If you are in a situation where you have to grant console access, common
>sense would tell you to not allow access to the kernel debugger... I
>really doubt it warrants an advisory :-)
i was just musing over the security of the securelevel when i came up
with this one. in case you really care, tiny patches to four ddb
files (unfortunately i have only 1.2 at home) will render the
securelevel variable readonly. somewhat. okay, so it was a five
minute hack job, but at least it now says "(readonly)" when i attempt
to do "write securelevel 0".
--
|-----< "CODE WARRIOR" >-----|
andrew@echonyc.com (TheMan) * "ah! i see you have the internet
codewarrior@daemon.org that goes *ping*!"
warfare@graffiti.com * "information is power -- share the wealth."