From nobody Tue Oct 24 17:33:22 2023
X-Original-To: freebsd-security@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4SFK0n6Qcmz4yHdN
	for <freebsd-security@mlmmj.nyi.freebsd.org>; Tue, 24 Oct 2023 17:33:45 +0000 (UTC)
	(envelope-from void@f-m.fm)
Received: from wout3-smtp.messagingengine.com (wout3-smtp.messagingengine.com [64.147.123.19])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4SFK0m5Txyz3MBp
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 17:33:44 +0000 (UTC)
	(envelope-from void@f-m.fm)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=f-m.fm header.s=fm3 header.b=BhUqP16+;
	dkim=pass header.d=messagingengine.com header.s=fm3 header.b=mPdxqpNC;
	spf=pass (mx1.freebsd.org: domain of void@f-m.fm designates 64.147.123.19 as permitted sender) smtp.mailfrom=void@f-m.fm;
	dmarc=pass (policy=none) header.from=f-m.fm
Received: from compute6.internal (compute6.nyi.internal [10.202.2.47])
	by mailout.west.internal (Postfix) with ESMTP id 2EEF03200A8C
	for <freebsd-security@freebsd.org>; Tue, 24 Oct 2023 13:33:43 -0400 (EDT)
Received: from imap46 ([10.202.2.96])
  by compute6.internal (MEProxy); Tue, 24 Oct 2023 13:33:43 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=f-m.fm; h=cc
	:content-type:content-type:date:date:from:from:in-reply-to
	:in-reply-to:message-id:mime-version:references:reply-to:sender
	:subject:subject:to:to; s=fm3; t=1698168822; x=1698255222; bh=V0
	V9tFxU9xIb+xn5kVNhQ/9UJPOORyOPrv+5vDujaVQ=; b=BhUqP16+7flIdZdM1q
	px6NSfxzRLNGgq9elpw3Z0T/wezASt7JLgvcOs6mEzhhIOClA88wqsoscg9j2/3o
	fbrYDMCrBj8dR0iArYlNAg2t4Tz5PyTFfGz667Kdxjq7RMmH23HeVkm8agkGuDwb
	b0sFbsjrRPJengFgNbyYVaRsvj3+itr1VzsKrTmds3SfgK0JvUXPIkW1tncirzE+
	03OdJoFibfVpv4JvFYTy8l083Aar9C2zQUmPoP7TYJN6dspd2ZyNBYX9OdP+W+0r
	M490hBi+O29SK8uVV37+xTs8Pg6xyn1nrwFsaZkQdVmEP9j+rCEvf585TcuaD9nJ
	g8UQ==
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=
	messagingengine.com; h=cc:content-type:content-type:date:date
	:feedback-id:feedback-id:from:from:in-reply-to:in-reply-to
	:message-id:mime-version:references:reply-to:sender:subject
	:subject:to:to:x-me-proxy:x-me-proxy:x-me-sender:x-me-sender
	:x-sasl-enc; s=fm3; t=1698168822; x=1698255222; bh=V0V9tFxU9xIb+
	xn5kVNhQ/9UJPOORyOPrv+5vDujaVQ=; b=mPdxqpNCNXCjLd2nyFY6hFQ8f6q+U
	3R19K0v5kg8Et6Wb4nVUoyLGYY79n8KNx9hcpT2hoy1jX2TYAcntoXJkvJNh6WnO
	YnO7FdnJr8cfQgzCkDZatT7fjOYui6F9oqFg79AOcuRMd3/BKoHpDN+sDERlEqY+
	NLIXZ5+6IVwn1zTbACWwl8VSyrYPNqyFGRmirOtKnIL8K7t3dRnhk3rHbmPwN3YK
	yjUH/B69Fh+MjFB5kNLR9HtEv7Gajm2emZwRCv2KNCoHcXUJVtWqjxuWpVYBfqeQ
	I69WYAnlKIrpLuL98zV1ZTUs9FRhaie0oRC1KSllJ669QtX3XpIpeHs7g==
X-ME-Sender: <xms:9v83ZfBe-J2_txgqNjuIz0bTsL_sMnEQ1lhJtJPPrwQSsSnE-yUILA>
    <xme:9v83ZVgoQlWd_8hd5mghiT5ml4SMTiOZ8V7K1WSSzuE8t3OrsKkdSlrzolafwYDLU
    ZolKkRTc9ju2nMIOw>
X-ME-Proxy-Cause: gggruggvucftvghtrhhoucdtuddrgedvkedrkeekgdduudegucetufdoteggodetrfdotf
    fvucfrrhhofhhilhgvmecuhfgrshhtofgrihhlpdfqfgfvpdfurfetoffkrfgpnffqhgen
    uceurghilhhouhhtmecufedttdenucenucfjughrpefofgggkfgjfhffhffvufgtsehttd
    ertderredtnecuhfhrohhmpehvohhiugcuoehvohhiugesfhdqmhdrfhhmqeenucggtffr
    rghtthgvrhhnpeeitedvueehtdehtddvhfeuhfevhedvieelvdeiffehveelheegfedule
    ejudekvdenucevlhhushhtvghrufhiiigvpedtnecurfgrrhgrmhepmhgrihhlfhhrohhm
    pehvohhiugesfhdqmhdrfhhm
X-ME-Proxy: <xmx:9v83ZamV6jWIvcroWad7j88aKYsnV794JUtSu7c4G4Owgi20CXSGLQ>
    <xmx:9v83ZRz7BoIuHyj3d3cI1B-VB0Ti7E9hLeC5TC3eESFec0SIroUnpA>
    <xmx:9v83ZUTXp6QUFSTj_shbA1vHowoVm_z-quFlh-76zZHZ9wywbu01Ig>
    <xmx:9v83Zbe3-_RzQaEKS1Z3tiGkml28o7b5GdR-fimEM1bF-MBZ-_YLLw>
Feedback-ID: i2541463c:Fastmail
Received: by mailuser.nyi.internal (Postfix, from userid 501)
	id 5FDD92A20085; Tue, 24 Oct 2023 13:33:42 -0400 (EDT)
X-Mailer: MessagingEngine.com Webmail Interface
User-Agent: Cyrus-JMAP/3.9.0-alpha0-1048-g9229b632c5-fm-20231019.001-g9229b632
List-Id: Security issues <freebsd-security.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-security
List-Help: <mailto:freebsd-security+help@freebsd.org>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Subscribe: <mailto:freebsd-security+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-security+unsubscribe@freebsd.org>
Sender: owner-freebsd-security@freebsd.org
X-BeenThere: freebsd-security@freebsd.org
MIME-Version: 1.0
Message-Id: <35f733cc-a6c2-46a4-b564-b1ef87893fc5@app.fastmail.com>
In-Reply-To: <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
References: <ZTeaGFZjvcsKfbOW@int21h>
 <6638DADD-FCDB-492C-B1E8-441C6622038B@FreeBSD.org>
 <663fd243-94ec-40c1-ac66-ca8e3d5f278d@quip.cz>
Date: Tue, 24 Oct 2023 17:33:22 +0000
From: void <void@f-m.fm>
To: freebsd-security@freebsd.org
Subject: Re: securelevel 1
Content-Type: text/plain
X-Spamd-Bar: -----
X-Spamd-Result: default: False [-5.38 / 15.00];
	DWL_DNSWL_LOW(-1.00)[messagingengine.com:dkim];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-1.00)[-1.000];
	NEURAL_HAM_LONG(-0.89)[-0.890];
	DMARC_POLICY_ALLOW(-0.50)[f-m.fm,none];
	RWL_MAILSPIKE_EXCELLENT(-0.40)[64.147.123.19:from];
	R_DKIM_ALLOW(-0.20)[f-m.fm:s=fm3,messagingengine.com:s=fm3];
	R_SPF_ALLOW(-0.20)[+ip4:64.147.123.19];
	RCVD_IN_DNSWL_LOW(-0.10)[64.147.123.19:from];
	MIME_GOOD(-0.10)[text/plain];
	XM_UA_NO_VERSION(0.01)[];
	TO_MATCH_ENVRCPT_ALL(0.00)[];
	FROM_HAS_DN(0.00)[];
	RCPT_COUNT_ONE(0.00)[1];
	PREVIOUSLY_DELIVERED(0.00)[freebsd-security@freebsd.org];
	ARC_NA(0.00)[];
	ASN(0.00)[asn:29838, ipnet:64.147.123.0/24, country:US];
	FREEMAIL_ENVFROM(0.00)[f-m.fm];
	TO_DN_NONE(0.00)[];
	FREEMAIL_FROM(0.00)[f-m.fm];
	RCVD_TLS_LAST(0.00)[];
	RCVD_COUNT_THREE(0.00)[3];
	FROM_EQ_ENVFROM(0.00)[];
	DKIM_TRACE(0.00)[f-m.fm:+,messagingengine.com:+];
	MIME_TRACE(0.00)[0:+];
	MLMMJ_DEST(0.00)[freebsd-security@freebsd.org]
X-Rspamd-Queue-Id: 4SFK0m5Txyz3MBp

On Tue, 24 Oct 2023, at 11:31, Miroslav Lachman wrote:

> root@neon ~/ # find -s -x / -flags +schg,sappnd
> /.sujournal
> /lib/libc.so.7
> /lib/libcrypt.so.5
> /lib/libthr.so.3
> /libexec/ld-elf.so.1
> /libexec/ld-elf32.so.1
> /sbin/init
> /usr/bin/chpass
> /usr/bin/crontab
> /usr/bin/login
> /usr/bin/opieinfo
> /usr/bin/opiepasswd
> /usr/bin/passwd
> /usr/bin/su
> /usr/lib/librt.so.1
> /usr/lib32/libc.so.7
> /usr/lib32/libcrypt.so.5
> /usr/lib32/librt.so.1
> /usr/lib32/libthr.so.3
> /var/empty
>
> Log files are not protected.

Thanks for explaining.

The reason for setting the securelevel to 1 would be so that the log files can't 
be modified/deleted. So I'm glad you explained that because I didn't twig
the securelevel only disallows changing flags and the log files weren't protected.

In order to accomplish what I'd like, I understand that I'd need to set +schg
on the individual logs, then set the securelevel afterwards and reboot.

But if this is done, it seems there's no way (at least directly) for the log
file to be rotated?