[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

minor securelevel(7) inaccuracy


securelevel(7) says that ddb.console & ddb.panic may not be raised in securelevel 2, but this restriction actually applies to securelevel 1 too:

$ sysctl kern.securelevel
$ sysctl ddb.panic
$ sudo sysctl ddb.panic=1
sysctl: ddb.panic: Operation not permitted
$ sudo sysctl ddb.console=0
ddb.console: 1 -> 0
$ sudo sysctl ddb.console=1
sysctl: ddb.console: Operation not permitted

Assuming the man page is incorrect rather than the code, patch is below.

-- Nicholas

Index: securelevel.7
RCS file: /cvs/src/share/man/man7/securelevel.7,v
retrieving revision 1.17
diff -u -r1.17 securelevel.7
--- securelevel.7	12 May 2005 08:16:06 -0000	1.17
+++ securelevel.7	24 Mar 2006 11:06:34 -0000
@@ -87,6 +87,13 @@
 .Va machdep.kbdreset
 .Xr sysctl 8
 variable may not be changed
+.Va ddb.console
+.Va ddb.panic
+.Xr sysctl 8
+variables may not be raised
 .It \ 2 Em Highly secure mode
 .Bl -hyphen -compact
@@ -102,13 +109,6 @@
 .Xr pf 4
 filter and NAT rules may not be altered
-.Va ddb.console
-.Va ddb.panic
-.Xr sysctl 8
-variables may not be raised
@@ -146,7 +146,7 @@
 Because securelevel can be modified with the in-kernel debugger
 .Xr ddb 4 ,
 a convenient means of locking it off (if present) is provided
-on highly secure systems.
+at securelevels 1 and 2.
 This is accomplished by setting
 .Va ddb.console

Visit your host, monkey.org