split rc.local, creating rc.securelevel. Read the comments. If you believe

in securelevels, follow them religiously. Problem found by millert...

diff --git a/etc/Makefile b/etc/Makefile
index 9e97212..2495dfa 100644 (file)
--- a/etc/Makefile
+++ b/etc/Makefile
@@ -1,4 +1,4 @@
-#      $OpenBSD: Makefile,v 1.43 1997/04/09 10:59:56 kstailey Exp $
+#      $OpenBSD: Makefile,v 1.44 1997/04/15 09:26:44 deraadt Exp $
 
 TZDIR=         /usr/share/zoneinfo
 LOCALTIME=     US/Pacific
@@ -18,8 +18,8 @@ BIN1= aliases bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \
        hosts.equiv hosts.lpd ifaliases inetd.conf ipf.rules ksh.kshrc \
        locate.rc man.conf monthly motd mrouted.conf myname nat.rules \
        netstart networks newsyslog.conf passwd.conf phones printcap \
-       protocols rbootd.conf rc rc.local remote rpc security services \
-       shells syslog.conf virc weekly etc.${MACHINE}/disktab
+       protocols rbootd.conf rc rc.local rc.securelevel remote rpc security \
+       services shells syslog.conf virc weekly etc.${MACHINE}/disktab
 
 # -rw-rw-r--
 BIN2=  motd

diff --git a/etc/rc b/etc/rc
index f3906a0..b1cd8d5 100644 (file)
--- a/etc/rc
+++ b/etc/rc
@@ -1,4 +1,4 @@
-#      $OpenBSD: rc,v 1.31 1997/02/28 07:53:33 millert Exp $
+#      $OpenBSD: rc,v 1.32 1997/04/15 09:26:47 deraadt Exp $
 
 # System startup script run by init on autoboot
 # or after single-user.
@@ -202,6 +202,11 @@ if [ -f /etc/ptmp ]; then
        'password file may be incorrect -- /etc/ptmp exists'
 fi
 
+. /etc/rc.securelevel
+if [ X${securelevel} != X"" ]; then
+       sysctl -w kern.securelevel=${securelevel}
+fi
+
 virecovery=/var/tmp/vi.recover/recover.*
 if [ "$virecovery" != "/var/tmp/vi.recover/recover.*" ]; then
        echo preserving editor files

diff --git a/etc/rc.local b/etc/rc.local
index 6c0817b..0a593de 100644 (file)
--- a/etc/rc.local
+++ b/etc/rc.local
@@ -1,6 +1,11 @@
-#      $OpenBSD: rc.local,v 1.9 1997/01/03 07:48:50 deraadt Exp $
+#      $OpenBSD: rc.local,v 1.10 1997/04/15 09:26:47 deraadt Exp $
 
-# site-specific startup actions, daemons
+# site-specific startup actions, daemons, and other things which
+# can be done AFTER your system goes into securemode.  For actions
+# which should be done BEFORE your system has gone into securemode
+# please see /etc/rc.securelevel
+
+# site-specific startup actions, daemons which can be run
 # Add your local changes additions to this file
 
 echo -n 'starting local daemons:'
@@ -13,11 +18,6 @@ echo -n 'starting local daemons:'
 #      echo -n ' sshd';        /usr/local/sbin/sshd
 #fi
 
-# Alternatively, xdm smay be started in /etc/ttys.
-#if [ -x /usr/X11R6/bin/xdm ]; then
-#      echo -n ' xdm';         /usr/X11R6/bin/xdm
-#fi
-
 #if [ -x /usr/local/bin/xntpd ]; then
 #      /usr/local/sbin/tickadj -Aq
 #      echo -n ' xntpd';       /usr/local/sbin/xntpd

diff --git a/etc/rc.securelevel b/etc/rc.securelevel
new file mode 100644 (file)
index 0000000..21dbc33
--- /dev/null
+++ b/etc/rc.securelevel
@@ -0,0 +1,23 @@
+#      $OpenBSD: rc.securelevel,v 1.1 1997/04/15 09:26:48 deraadt Exp $
+#
+# site-specific startup actions, daemons, and other things which
+# can be done BEFORE your system goes into securemode.  For actions
+# which should be done AFTER your system has gone into securemode
+# please see /etc/rc.local
+
+# This is the desired security level
+# XXX
+# XXX it is not really acceptable to put this value in a special
+# XXX file, because locking it down requires immutability on about
+# XXX 5 files instead of 2 (the kernel and init)
+# XXX
+securelevel=1
+
+echo -n 'starting pre-securelevel daemons:'
+
+# Alternatively, xdm smay be started in /etc/ttys.
+#if [ -x /usr/X11R6/bin/xdm ]; then
+#      echo -n ' xdm';         /usr/X11R6/bin/xdm
+#fi
+
+echo '.'