Re: Bugs in sysctl.c
Rogier Wolff (R.E.Wolff@BitWizard.nl)
Mon, 11 Aug 1997 13:37:19 +0200 (MET DST)
Chris Evans wrote:
>
>
> Hi,
>
> It seems that securelevel is completely shafted. For a start, the
> permissions that /proc/sys/kernel/securelevel are registered with are
> incorrect (0444, should be 0644 to allow root write access) Trivial patch
> => not included here :-)
>
> Furthermore, and more worrying, it seems that do_securelevel_strategy is
> NOT called upon modification of securelevel. This means that root can
> arbitrarily lower the securelevel value(!).
>
> I did not have time to look into this.. I will probably do so tonight
> unless some bright spark posts fixes/causes before then, hint hint ;-)
Securelevel is not completely implemented yet.
You should write a little document with what different levels do, and
post this to linux-kernel. You'll get some feedback, and then
implementing it will be a matter of a few hours intense hacking.
The document should do something like:
0: Default. Normal "unix-like" operation.
1: chattr is disallowed
2: ....
only increasing the securelevel is allowed. Decreasing the
securelevel requires a reboot.
Things like "access to raw devices", "access to kmem", "access to /proc",
"modifying IP parameters", etc etc should be mentioned.
Regards,
Roger.