Securelevels

[Garrett Cooper]

On Sat, Jun 28, 2008 at 6:13 PM, Ivaylo Mateev
<mateev at cns-consulting.org> wrote:
> Hi,
>
> I think I found a bug.
>
> [strato at darkstar /usr/home/strato]$ sudo sysctl kern.securelevel
> kern.securelevel: 2
> [strato at darkstar /usr/home/strato]$ kgdb
> kgdb: /dev/mem: Permission denied
> [strato at darkstar /usr/home/strato]$ sudo kgdb
> [GDB will not be able to debug user-mode threads: /usr/lib/libthread_db.so:
> Undefined symbol "ps_pglobal_lookup"]
> GNU gdb 6.1.1 [FreeBSD]
>
> I am running in securelevel 2. That means nithing can have direct access
> to /dev/mem, acording to man security:
>
> 1     Secure mode - the system immutable and system append-only flags may
>           not be turned off; disks for mounted file systems, /dev/mem and
>           /dev/kmem may not be opened for writing; /dev/io (if your platform
>           has it) may not be opened at all; kernel modules (see kld(4)) may
>           not be loaded or unloaded.
>
>     2     Highly secure mode - same as secure mode, plus disks may not be
>           opened for writing (except by mount(2)) whether mounted or not.
>           This level precludes tampering with file systems by unmounting
>           them, but also inhibits running newfs(8) while the system is multi-
>           user.
>
> So is this a bug or I am just to stupid?

Same thing with su? In some situations sudo doesn't operate under 100%
root-credentials.
-Garrett