Re: Securelevels
On Sat, Jun 28, 2008 at 6:13 PM, Ivaylo Mateev <[EMAIL PROTECTED]> wrote: > Hi, > > I think I found a bug. > > [EMAIL PROTECTED] /usr/home/strato]$ sudo sysctl kern.securelevel > kern.securelevel: 2 > [EMAIL PROTECTED] /usr/home/strato]$ kgdb > kgdb: /dev/mem: Permission denied > [EMAIL PROTECTED] /usr/home/strato]$ sudo kgdb > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: > Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > > I am running in securelevel 2. That means nithing can have direct access > to /dev/mem, acording to man security: > > 1 Secure mode - the system immutable and system append-only flags may > not be turned off; disks for mounted file systems, /dev/mem and > /dev/kmem may not be opened for writing; /dev/io (if your platform > has it) may not be opened at all; kernel modules (see kld(4)) may > not be loaded or unloaded. > > 2 Highly secure mode - same as secure mode, plus disks may not be > opened for writing (except by mount(2)) whether mounted or not. > This level precludes tampering with file systems by unmounting > them, but also inhibits running newfs(8) while the system is multi- > user. > > So is this a bug or I am just to stupid? Same thing with su? In some situations sudo doesn't operate under 100% root-credentials. -Garrett ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Securelevels
In the last episode (Jun 29), Ivaylo Mateev said:
> I think I found a bug.
>
> [EMAIL PROTECTED] /usr/home/strato]$ sudo sysctl kern.securelevel
> kern.securelevel: 2
> [EMAIL PROTECTED] /usr/home/strato]$ kgdb
> kgdb: /dev/mem: Permission denied
> [EMAIL PROTECTED] /usr/home/strato]$ sudo kgdb
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
> Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
>
> I am running in securelevel 2. That means nithing can have direct access
> to /dev/mem, acording to man security:
>
> 1 Secure mode - the system immutable and system append-only flags may
> not be turned off; disks for mounted file systems, /dev/mem and
> /dev/kmem may not be opened for writing; /dev/io (if your platform
> has it) may not be opened at all; kernel modules (see kld(4)) may
> not be loaded or unloaded.
>
> 2 Highly secure mode - same as secure mode, plus disks may not be
> opened for writing (except by mount(2)) whether mounted or not.
> This level precludes tampering with file systems by unmounting
> them, but also inhibits running newfs(8) while the system is multi-
> user.
# truss kgdb < /dev/null |& grep /dev/mem
open("/dev/mem",O_RDONLY,00) = 4 (0x4)
#
Read-only opens of /dev/mem are allowed. "kgdb -w" should fail,
however.
--
Dan Nelson
[EMAIL PROTECTED]
___
freebsd-hackers@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
Re: Securelevels
> [EMAIL PROTECTED] /usr/home/strato]$ sudo sysctl kern.securelevel > kern.securelevel: 2 > [EMAIL PROTECTED] /usr/home/strato]$ kgdb > kgdb: /dev/mem: Permission denied > [EMAIL PROTECTED] /usr/home/strato]$ sudo kgdb > [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so: > Undefined symbol "ps_pglobal_lookup"] > GNU gdb 6.1.1 [FreeBSD] > > I am running in securelevel 2. That means nithing can have direct > access to /dev/mem, acording to man security: > > 1 Secure mode - ... /dev/mem and /dev/kmem may not be opened > for writing; ... ^^^ > > 2Highly secure mode - same as secure mode, plus disks may not > be opened for writing (except by mount(2)) whether mounted > or not ... > > So is this a bug I don't think so, because kgdb does not ordinarily need to open /dev/kmem for writing. Presumably you'd get an error if you tried to patch the running kernel. ___ freebsd-hackers@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-hackers To unsubscribe, send any mail to "[EMAIL PROTECTED]"
