Text: Securelevel security
Author: lockdown (www.lockeddown.net)
Date: May 30, 2001


Open,Free, and NetBSD have something called securelevel to try and minimize the damage someone can do by obtaining root. If a computer is running in securelevel 1 or 2 the only way to lower the securelevel is by booting into single user mode. Just reading the manpage it seemed pretty obvious getting out of securelevel 1 should be easy. So I tested it and it worked and notified Open,Free, and NetBSD. The people at FreeBSD have been the only ones to respond and basically said securelevel has known issues and should not be used and he fought against FreeBSD using securelevel 1 by default but was overruled. So what I present here is not an advisory but just my findings on the problems with securelevel. If it can be easily defeated what is the point of it? I have yet to find an answer to that question.

Lets just start off with the basics, a proper configuration. To properly setup securelevel to work as intended the schg flag must be set on /etc/rc.securelevel (rc.conf in freeBSD), init, and the kernel. If it is not set on all three files a "broken" version of the file can be put in its place. Also every directory in the path needs the schg flag set or else you can mv the directory to a new location and remake the directory with your modified files in it. Such as mv /etc /bleh and then remake etc with you own rc.conf/rc.securelevel where it is set to -1 and reboot... That should cover a secure configuration, as if it matters.

Reading the man page it says in securelevel 1 mounted file systems are read-only and in securelevel 2 mounted and unmounted file systems are read-only(for raw disk access). This points out an obvious flaw in securelevel 1, being able to write to unmounted file systems. Lets say a user has schg on the log files to insure the integrity of them even if they get rooted. The flag schg in securelevel 1 should only be able to be removed when booted into single user mode. If we unmount /var, assuming its a seperate partition, we can then use fsdb to remove the schg flag(this is easy to do and I will not walk you through it). If we can remove the schg from /etc/rc.securelevel we can change the secure level to -1 and reboot. Unmounting / can not be done because it is always in use. So you add a little script to /etc/rc to remove schg from /etc/rc.securelevel on bootup. Once that is removed you can disable securelevel.