[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

minor securelevel(7) inaccuracy



Hi,

securelevel(7) says that ddb.console & ddb.panic may not be raised in securelevel 2, but this restriction actually applies to securelevel 1 too:

$ sysctl kern.securelevel
kern.securelevel=1
$ sysctl ddb.panic
ddb.panic=0
$ sudo sysctl ddb.panic=1
Password:
sysctl: ddb.panic: Operation not permitted
$ sudo sysctl ddb.console=0
ddb.console: 1 -> 0
$ sudo sysctl ddb.console=1
sysctl: ddb.console: Operation not permitted

Assuming the man page is incorrect rather than the code, patch is below.

-- Nicholas

Index: securelevel.7
===================================================================
RCS file: /cvs/src/share/man/man7/securelevel.7,v
retrieving revision 1.17
diff -u -r1.17 securelevel.7
--- securelevel.7	12 May 2005 08:16:06 -0000	1.17
+++ securelevel.7	24 Mar 2006 11:06:34 -0000
@@ -87,6 +87,13 @@
 .Va machdep.kbdreset
 .Xr sysctl 8
 variable may not be changed
+.It
+the
+.Va ddb.console
+and
+.Va ddb.panic
+.Xr sysctl 8
+variables may not be raised
 .El
 .It \ 2 Em Highly secure mode
 .Bl -hyphen -compact
@@ -102,13 +109,6 @@
 .It
 .Xr pf 4
 filter and NAT rules may not be altered
-.It
-the
-.Va ddb.console
-and
-.Va ddb.panic
-.Xr sysctl 8
-variables may not be raised
 .El
 .El
 .Sh DESCRIPTION
@@ -146,7 +146,7 @@
 Because securelevel can be modified with the in-kernel debugger
 .Xr ddb 4 ,
 a convenient means of locking it off (if present) is provided
-on highly secure systems.
+at securelevels 1 and 2.
 This is accomplished by setting
 .Va ddb.console
 and



Visit your host, monkey.org