On Jan 12, 12:58pm, Dr. Lex Wennmacher wrote:
> Subject: init(8) fails to raise securelevel
> Hi,
>
> on my i386 NetBSD-1.3.3 system, init does not raise kern.securelevel when
going
> multiuser (although the running kernel does not use `options INSECURE'):
>
> hal# grep INSECURE /usr/src/sys/arch/i386/conf/HAL
> #options        INSECURE        # disable kernel security levels
>
> (running multiuser:)
> hal# sysctl kern.securelevel
> kern.securelevel = 0
>
> Raising the securelevel by hand works:
> hal# sysctl -w kern.securelevel=1
> kern.securelevel: 0 -> 1

Solved (pilot error):

As last command in /etc/rc.local I started xdm:

if [ -f /usr/X11R6/bin/xdm ]; then
        echo -n ' xdm'
        /usr/X11R6/bin/xdm -nodaemon
fi

The `-nodaemon' option and a missing `&' causes xdm to not fork off into the
background. Thus rc.local and rc never return. init never finishes runcom() and
never runs multi_user(). Thus, the securelevel is never raised.

This might happen to others as well and is probably not noted always.

Followup to tech-security: I think that init should syslog() a warning if
/etc/rc does not return after an appropriate time.

-- 
Dr. Alexandre Wennmacher
Institut fuer Geophysik und Meteorologie         wennmach@geo.Uni-Koeln.DE
Universitaet zu Koeln                            phone  +49 221 470 - 3387
D-50923 Koeln                                    fax    +49 221 470 - 5198