From oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net  Mon May 19 19:15:36 2003
Return-Path: <oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net>
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 009C437B401
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 19 May 2003 19:15:36 -0700 (PDT)
Received: from adsl-64-161-78-226.dsl.lsan03.pacbell.net (adsl-64-161-78-226.dsl.lsan03.pacbell.net [64.161.78.226])
	by mx1.FreeBSD.org (Postfix) with SMTP id 5053D43F3F
	for <FreeBSD-gnats-submit@freebsd.org>; Mon, 19 May 2003 19:15:35 -0700 (PDT)
	(envelope-from oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net)
Received: (qmail 65683 invoked by uid 1001); 20 May 2003 02:16:37 -0000
Message-Id: <20030520021637.65682.qmail@adsl-64-161-78-226.dsl.lsan03.pacbell.net>
Date: 20 May 2003 02:16:37 -0000
From: Joshua Oreman <oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net>
Reply-To: Joshua Oreman <oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net>
To: FreeBSD-gnats-submit@freebsd.org
Cc:
Subject: [PATCH] let init change securelevel to -1 for single-user mode 
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         52454
>Category:       kern
>Synopsis:       [PATCH] let init change securelevel to -1 for single-user mode
>Confidential:   no
>Severity:       non-critical
>Priority:       low
>Responsible:    freebsd-bugs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          change-request
>Submitter-Id:   current-users
>Arrival-Date:   Mon May 19 19:20:09 PDT 2003
>Closed-Date:    Sat Jun 28 10:47:37 PDT 2003
>Last-Modified:  Sat Jun 28 10:47:37 PDT 2003
>Originator:     Joshua Oreman
>Release:        FreeBSD 5.0-CURRENT i386
>Organization:
home 
>Environment:
System: FreeBSD webserver.get-linux.org 5.0-CURRENT FreeBSD 5.0-CURRENT #0: Wed May 7 17:32:53 PDT 2003 root@webserver.get-linux.org:/usr/obj/usr/src/sys/GENERIC i386


	
>Description:
	Under OpenBSD, when `init' goes to single-user mode, it, and it alone,
	can change the securelevel back down to -1. To see why this would be
	useful, consider a firewall. It might normally run at securelevel 3
	to prevent tampering with firewall rules. However, suppose a rule
	change was needed. Without this functionality, the firewall would
	have to restart, disrupting service. With it, the firewall could
	simply drop to single-user, keeping connections, and change
	the rule. The patch adds that functionality to FreeBSD.

	
>How-To-Repeat:
	[not applicable]

	
>Fix:
Apply this patch to src/sys/kern/kern_mib.c:
--[snip]--
--- kern_mib.c.orig	Mon May 19 18:47:47 2003
+++ kern_mib.c	Mon May 19 18:54:36 2003
@@ -273,7 +273,8 @@
 	} else {
 		mtx_lock(&securelevel_mtx);
 		if (!regression_securelevel_nonmonotonic &&
-		    (level < securelevel)) {
+		    (level < securelevel) &&
+		    (req->td->td_proc->p_pid != 1)) {
 			mtx_unlock(&securelevel_mtx);
 			return (EPERM);
 		}
--[snip]--
and apply this patch to src/sbin/init/init.c:
--[snip]--
--- init.c.orig	Mon May 19 18:54:56 2003
+++ init.c	Mon May 19 19:09:38 2003
@@ -619,6 +619,25 @@
 		endpwent();
 #endif /* SECURE */
 
+		if (getsecuritylevel() > 0) {
+		    /*
+		     * It's safe to set newsecuritylevel to -1 here because,
+		     * even if securelevel was not originally -1, it will
+		     * be reset on return to multi-user.
+		     */
+		    int mib[2], newsecuritylevel = -1;
+		    syslog (LOG_INFO, "changing security level from %i to %i " 
+			    "for single-user mode", getsecuritylevel(), -1);
+		    
+		    mib[0] = CTL_KERN;
+		    mib[1] = KERN_SECURELVL;
+		    if (sysctl (mib, 2, NULL, NULL, &newsecuritylevel,
+				sizeof newsecuritylevel) == -1) {
+			warning ("unable to set securelevel; operations "
+				 "will continue at level %i", getsecuritylevel());
+		    }
+		}
+
 #ifdef DEBUGSHELL
 		{
 			char *cp = altshell;
--[snip]--

Recompile init and the kernel, reboot, and the securelevel
will go down for single-user mode. This is not a security
hole because only `init' (pid 1) has the authority to do
this.

	


>Release-Note:
>Audit-Trail:

From: Garrett Wollman <wollman@lcs.mit.edu>
To: Joshua Oreman <oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net>
Cc: FreeBSD-gnats-submit@freebsd.org
Subject: kern/52454: [PATCH] let init change securelevel to -1 for
	single-user mode 
Date: Mon, 19 May 2003 22:27:52 -0400 (EDT)

 <<On 20 May 2003 02:16:37 -0000, Joshua Oreman <oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net> said:
 
 > 	the rule. The patch adds that functionality to FreeBSD.
 
 This was intentionally removed from FreeBSD.  See rev. 1.36 of init.c.
 
 -GAWollman
 

From: oremanj@adsl-64-161-78-226.dsl.lsan03.pacbell.net
To: freebsd-gnats-submit@freebsd.org
Cc:  
Subject: Re: kern/52454: [PATCH] let init change securelevel to -1 for single-user mode
Date: 24 May 2003 05:46:07 -0000

 > This was intentionally removed from FreeBSD. See rev. 1.36 of init.c.
 Yes, but if you look deeper into the patch, it contains a kernel patch
 too. Is there a reason even this wouldn't work? Is it against policy
 or something?
 
 -- Josh

From: Joshua Oreman <oremanj@webserver.get-linux.org>
To: bug-followup@freebsd.org
Cc:  
Subject: Re: kern/52454: [PATCH] let init change securelevel to -1 for single-user mode
Date: Sat, 28 Jun 2003 10:29:25 -0700

 On Mon, May 19, 2003 at 10:27:52PM -0400 or thereabouts, Garrett Wollman wrote:
 > <<On 20 May 2003 02:16:37 -0000, Joshua Oreman <oremanj@get-linux.org> said:
 > 
 > > 	the rule. The patch adds that functionality to FreeBSD.
 > 
 > This was intentionally removed from FreeBSD.  See rev. 1.36 of init.c.
 
 If you look more closely at the PR, you'll see there's a kernel patch
 in there too :-)
 
 -- Josh
 
 > 
 > -GAWollman
State-Changed-From-To: open->closed 
State-Changed-By: wollman 
State-Changed-When: Sat Jun 28 10:47:13 PDT 2003 
State-Changed-Why:  
This feature was intentionally removed from the system for security reasons. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=52454 
>Unformatted:
