From: deraadt Date: Tue, 15 Apr 1997 09:26:44 +0000 (+0000) Subject: split rc.local, creating rc.securelevel. Read the comments. If you believe X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=41406ee41a6211dfdba3e31aff4ce9edc2cf7305;p=openbsd split rc.local, creating rc.securelevel. Read the comments. If you believe in securelevels, follow them religiously. Problem found by millert... --- diff --git a/etc/Makefile b/etc/Makefile index 9e97212fb01..2495dfa6ebc 100644 --- a/etc/Makefile +++ b/etc/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.43 1997/04/09 10:59:56 kstailey Exp $ +# $OpenBSD: Makefile,v 1.44 1997/04/15 09:26:44 deraadt Exp $ TZDIR= /usr/share/zoneinfo LOCALTIME= US/Pacific @@ -18,8 +18,8 @@ BIN1= aliases bootptab changelist ccd.conf csh.cshrc csh.login csh.logout \ hosts.equiv hosts.lpd ifaliases inetd.conf ipf.rules ksh.kshrc \ locate.rc man.conf monthly motd mrouted.conf myname nat.rules \ netstart networks newsyslog.conf passwd.conf phones printcap \ - protocols rbootd.conf rc rc.local remote rpc security services \ - shells syslog.conf virc weekly etc.${MACHINE}/disktab + protocols rbootd.conf rc rc.local rc.securelevel remote rpc security \ + services shells syslog.conf virc weekly etc.${MACHINE}/disktab # -rw-rw-r-- BIN2= motd diff --git a/etc/rc b/etc/rc index f3906a077ec..b1cd8d52696 100644 --- a/etc/rc +++ b/etc/rc @@ -1,4 +1,4 @@ -# $OpenBSD: rc,v 1.31 1997/02/28 07:53:33 millert Exp $ +# $OpenBSD: rc,v 1.32 1997/04/15 09:26:47 deraadt Exp $ # System startup script run by init on autoboot # or after single-user. @@ -202,6 +202,11 @@ if [ -f /etc/ptmp ]; then 'password file may be incorrect -- /etc/ptmp exists' fi +. /etc/rc.securelevel +if [ X${securelevel} != X"" ]; then + sysctl -w kern.securelevel=${securelevel} +fi + virecovery=/var/tmp/vi.recover/recover.* if [ "$virecovery" != "/var/tmp/vi.recover/recover.*" ]; then echo preserving editor files diff --git a/etc/rc.local b/etc/rc.local index 6c0817bbd84..0a593de099c 100644 --- a/etc/rc.local +++ b/etc/rc.local @@ -1,6 +1,11 @@ -# $OpenBSD: rc.local,v 1.9 1997/01/03 07:48:50 deraadt Exp $ +# $OpenBSD: rc.local,v 1.10 1997/04/15 09:26:47 deraadt Exp $ -# site-specific startup actions, daemons +# site-specific startup actions, daemons, and other things which +# can be done AFTER your system goes into securemode. For actions +# which should be done BEFORE your system has gone into securemode +# please see /etc/rc.securelevel + +# site-specific startup actions, daemons which can be run # Add your local changes additions to this file echo -n 'starting local daemons:' @@ -13,11 +18,6 @@ echo -n 'starting local daemons:' # echo -n ' sshd'; /usr/local/sbin/sshd #fi -# Alternatively, xdm smay be started in /etc/ttys. -#if [ -x /usr/X11R6/bin/xdm ]; then -# echo -n ' xdm'; /usr/X11R6/bin/xdm -#fi - #if [ -x /usr/local/bin/xntpd ]; then # /usr/local/sbin/tickadj -Aq # echo -n ' xntpd'; /usr/local/sbin/xntpd diff --git a/etc/rc.securelevel b/etc/rc.securelevel new file mode 100644 index 00000000000..21dbc336ea5 --- /dev/null +++ b/etc/rc.securelevel @@ -0,0 +1,23 @@ +# $OpenBSD: rc.securelevel,v 1.1 1997/04/15 09:26:48 deraadt Exp $ +# +# site-specific startup actions, daemons, and other things which +# can be done BEFORE your system goes into securemode. For actions +# which should be done AFTER your system has gone into securemode +# please see /etc/rc.local + +# This is the desired security level +# XXX +# XXX it is not really acceptable to put this value in a special +# XXX file, because locking it down requires immutability on about +# XXX 5 files instead of 2 (the kernel and init) +# XXX +securelevel=1 + +echo -n 'starting pre-securelevel daemons:' + +# Alternatively, xdm smay be started in /etc/ttys. +#if [ -x /usr/X11R6/bin/xdm ]; then +# echo -n ' xdm'; /usr/X11R6/bin/xdm +#fi + +echo '.'