mirror of
https://git.FreeBSD.org/src.git
synced 2024-12-20 11:11:24 +00:00
328dbe4a94
securelevel = 3. PR: docs/69417 Submitted by: Janos Mohacsi (mohacsi(at)niif(dot)hu)
428 lines
11 KiB
Groff
428 lines
11 KiB
Groff
.\" Copyright (c) 1980, 1991, 1993
|
|
.\" The Regents of the University of California. All rights reserved.
|
|
.\"
|
|
.\" This code is derived from software contributed to Berkeley by
|
|
.\" Donn Seeley at Berkeley Software Design, Inc.
|
|
.\"
|
|
.\" Redistribution and use in source and binary forms, with or without
|
|
.\" modification, are permitted provided that the following conditions
|
|
.\" are met:
|
|
.\" 1. Redistributions of source code must retain the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer.
|
|
.\" 2. Redistributions in binary form must reproduce the above copyright
|
|
.\" notice, this list of conditions and the following disclaimer in the
|
|
.\" documentation and/or other materials provided with the distribution.
|
|
.\" 4. Neither the name of the University nor the names of its contributors
|
|
.\" may be used to endorse or promote products derived from this software
|
|
.\" without specific prior written permission.
|
|
.\"
|
|
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
|
|
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
|
|
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
|
|
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
|
|
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
|
|
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
|
|
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
|
|
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
|
|
.\" SUCH DAMAGE.
|
|
.\"
|
|
.\" @(#)init.8 8.3 (Berkeley) 4/18/94
|
|
.\" $FreeBSD$
|
|
.\"
|
|
.Dd April 18, 1994
|
|
.Dt INIT 8
|
|
.Os
|
|
.Sh NAME
|
|
.Nm init
|
|
.Nd process control initialization
|
|
.Sh SYNOPSIS
|
|
.Nm
|
|
.Nm
|
|
.Oo
|
|
.Cm 0 | 1 | 6 |
|
|
.Cm c | q
|
|
.Oc
|
|
.Sh DESCRIPTION
|
|
The
|
|
.Nm
|
|
utility
|
|
is the last stage of the boot process.
|
|
It normally runs the automatic reboot sequence as described in
|
|
.Xr rc 8 ,
|
|
and if this succeeds, begins multi-user operation.
|
|
If the reboot scripts fail,
|
|
.Nm
|
|
commences single-user operation by giving
|
|
the super-user a shell on the console.
|
|
The
|
|
.Nm
|
|
utility may be passed parameters
|
|
from the boot program to
|
|
prevent the system from going multi-user and to instead execute
|
|
a single-user shell without starting the normal daemons.
|
|
The system is then quiescent for maintenance work and may
|
|
later be made to go to multi-user by exiting the
|
|
single-user shell (with ^D).
|
|
This
|
|
causes
|
|
.Nm
|
|
to run the
|
|
.Pa /etc/rc
|
|
start up command file in fastboot mode (skipping disk checks).
|
|
.Pp
|
|
If the
|
|
.Em console
|
|
entry in the
|
|
.Xr ttys 5
|
|
file is marked
|
|
.Dq insecure ,
|
|
then
|
|
.Nm
|
|
will require that the super-user password be
|
|
entered before the system will start a single-user shell.
|
|
The password check is skipped if the
|
|
.Em console
|
|
is marked as
|
|
.Dq secure .
|
|
.Pp
|
|
The kernel runs with five different levels of security.
|
|
Any super-user process can raise the security level, but no process
|
|
can lower it.
|
|
The security levels are:
|
|
.Bl -tag -width flag
|
|
.It Ic -1
|
|
Permanently insecure mode \- always run the system in level 0 mode.
|
|
This is the default initial value.
|
|
.It Ic 0
|
|
Insecure mode \- immutable and append-only flags may be turned off.
|
|
All devices may be read or written subject to their permissions.
|
|
.It Ic 1
|
|
Secure mode \- the system immutable and system append-only flags may not
|
|
be turned off;
|
|
disks for mounted file systems,
|
|
.Pa /dev/mem ,
|
|
.Pa /dev/kmem
|
|
and
|
|
.Pa /dev/io
|
|
(if your platform has it) may not be opened for writing;
|
|
kernel modules (see
|
|
.Xr kld 4 )
|
|
may not be loaded or unloaded.
|
|
.It Ic 2
|
|
Highly secure mode \- same as secure mode, plus disks may not be
|
|
opened for writing (except by
|
|
.Xr mount 2 )
|
|
whether mounted or not.
|
|
This level precludes tampering with file systems by unmounting them,
|
|
but also inhibits running
|
|
.Xr newfs 8
|
|
while the system is multi-user.
|
|
.Pp
|
|
In addition, kernel time changes are restricted to less than or equal to one
|
|
second.
|
|
Attempts to change the time by more than this will log the message
|
|
.Dq Time adjustment clamped to +1 second .
|
|
.It Ic 3
|
|
Network secure mode \- same as highly secure mode, plus
|
|
IP packet filter rules (see
|
|
.Xr ipfw 8 ,
|
|
.Xr ipfirewall 4
|
|
and
|
|
.Xr pfctl 8 )
|
|
cannot be changed and
|
|
.Xr dummynet 4
|
|
or
|
|
.Xr pf 4
|
|
configuration cannot be adjusted.
|
|
.El
|
|
.Pp
|
|
If the security level is initially nonzero, then
|
|
.Nm
|
|
leaves it unchanged.
|
|
Otherwise,
|
|
.Nm
|
|
raises the level to 1 before going multi-user for the first time.
|
|
Since the level cannot be reduced, it will be at least 1 for
|
|
subsequent operation, even on return to single-user.
|
|
If a level higher than 1 is desired while running multi-user,
|
|
it can be set before going multi-user, e.g., by the startup script
|
|
.Xr rc 8 ,
|
|
using
|
|
.Xr sysctl 8
|
|
to set the
|
|
.Va kern.securelevel
|
|
variable to the required security level.
|
|
.Pp
|
|
If
|
|
.Nm
|
|
is run in a jail, the security level of the
|
|
.Dq host system
|
|
will not be effected.
|
|
Part of the information set up in the kernel to support a jail
|
|
is a per-jail
|
|
.Dq securelevel
|
|
setting.
|
|
This allows running a higher security level inside of a jail
|
|
than that of the host system.
|
|
See
|
|
.Xr jail 8
|
|
for more information about jails.
|
|
.Pp
|
|
In multi-user operation,
|
|
.Nm
|
|
maintains
|
|
processes for the terminal ports found in the file
|
|
.Xr ttys 5 .
|
|
The
|
|
.Nm
|
|
utility reads this file and executes the command found in the second field,
|
|
unless the first field refers to a device in
|
|
.Pa /dev
|
|
which is not configured.
|
|
The first field is supplied as the final argument to the command.
|
|
This command is usually
|
|
.Xr getty 8 ;
|
|
.Nm getty
|
|
opens and initializes the tty line
|
|
and
|
|
executes the
|
|
.Xr login 1
|
|
program.
|
|
The
|
|
.Nm login
|
|
program, when a valid user logs in,
|
|
executes a shell for that user.
|
|
When this shell
|
|
dies, either because the user logged out
|
|
or an abnormal termination occurred (a signal),
|
|
the
|
|
.Nm
|
|
utility wakes up, deletes the user
|
|
from the
|
|
.Xr utmp 5
|
|
file of current users and records the logout in the
|
|
.Xr wtmp 5
|
|
file.
|
|
The cycle is
|
|
then restarted by
|
|
.Nm
|
|
executing a new
|
|
.Nm getty
|
|
for the line.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility can also be used to keep arbitrary daemons running,
|
|
automatically restarting them if they die.
|
|
In this case, the first field in the
|
|
.Xr ttys 5
|
|
file must not reference the path to a configured device node
|
|
and will be passed to the daemon
|
|
as the final argument on its command line.
|
|
This is similar to the facility offered in the
|
|
.At V
|
|
.Pa /etc/inittab .
|
|
.Pp
|
|
Line status (on, off, secure, getty, or window information)
|
|
may be changed in the
|
|
.Xr ttys 5
|
|
file without a reboot by sending the signal
|
|
.Dv SIGHUP
|
|
to
|
|
.Nm
|
|
with the command
|
|
.Dq Li "kill -HUP 1" .
|
|
On receipt of this signal,
|
|
.Nm
|
|
re-reads the
|
|
.Xr ttys 5
|
|
file.
|
|
When a line is turned off in
|
|
.Xr ttys 5 ,
|
|
.Nm
|
|
will send a SIGHUP signal to the controlling process
|
|
for the session associated with the line.
|
|
For any lines that were previously turned off in the
|
|
.Xr ttys 5
|
|
file and are now on,
|
|
.Nm
|
|
executes the command specified in the second field.
|
|
If the command or window field for a line is changed,
|
|
the change takes effect at the end of the current
|
|
login session (e.g., the next time
|
|
.Nm
|
|
starts a process on the line).
|
|
If a line is commented out or deleted from
|
|
.Xr ttys 5 ,
|
|
.Nm
|
|
will not do anything at all to that line.
|
|
However, it will complain that the relationship between lines
|
|
in the
|
|
.Xr ttys 5
|
|
file and records in the
|
|
.Xr utmp 5
|
|
file is out of sync,
|
|
so this practice is not recommended.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility will terminate multi-user operations and resume single-user mode
|
|
if sent a terminate
|
|
.Pq Dv TERM
|
|
signal, for example,
|
|
.Dq Li "kill \-TERM 1" .
|
|
If there are processes outstanding that are deadlocked (because of
|
|
hardware or software failure),
|
|
.Nm
|
|
will not wait for them all to die (which might take forever), but
|
|
will time out after 30 seconds and print a warning message.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility will cease creating new processes
|
|
and allow the system to slowly die away, if it is sent a terminal stop
|
|
.Pq Dv TSTP
|
|
signal, i.e.\&
|
|
.Dq Li "kill \-TSTP 1" .
|
|
A later hangup will resume full
|
|
multi-user operations, or a terminate will start a single-user shell.
|
|
This hook is used by
|
|
.Xr reboot 8
|
|
and
|
|
.Xr halt 8 .
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility will terminate all possible processes (again, it will not wait
|
|
for deadlocked processes) and reboot the machine if sent the interrupt
|
|
.Pq Dv INT
|
|
signal, i.e.\&
|
|
.Dq Li "kill \-INT 1".
|
|
This is useful for shutting the machine down cleanly from inside the kernel
|
|
or from X when the machine appears to be hung.
|
|
.Pp
|
|
The
|
|
.Nm
|
|
utility will do the same, except it will halt the machine if sent
|
|
the user defined signal 1
|
|
.Pq Dv USR1 ,
|
|
or will halt and turn the power off (if hardware permits) if sent
|
|
the user defined signal 2
|
|
.Pq Dv USR2 .
|
|
.Pp
|
|
When shutting down the machine,
|
|
.Nm
|
|
will try to run the
|
|
.Pa /etc/rc.shutdown
|
|
script.
|
|
This script can be used to cleanly terminate specific programs such
|
|
as
|
|
.Nm innd
|
|
(the InterNetNews server).
|
|
.Pp
|
|
The role of
|
|
.Nm
|
|
is so critical that if it dies, the system will reboot itself
|
|
automatically.
|
|
If, at bootstrap time, the
|
|
.Nm
|
|
process cannot be located, the system will panic with the message
|
|
.Dq "panic: init died (signal %d, exit %d)" .
|
|
.Pp
|
|
If run as a user process as shown in the second synopsis line,
|
|
.Nm
|
|
will emulate
|
|
.At V
|
|
behavior, i.e., super-user can specify the desired
|
|
.Em run-level
|
|
on a command line, and
|
|
.Nm
|
|
will signal the original
|
|
(PID 1)
|
|
.Nm
|
|
as follows:
|
|
.Bl -column Run-level SIGTERM
|
|
.It Sy "Run-level Signal Action
|
|
.It Cm 0 Ta Dv SIGUSR2 Ta "Halt and turn the power off"
|
|
.It Cm 1 Ta Dv SIGTERM Ta "Go to single-user mode"
|
|
.It Cm 6 Ta Dv SIGINT Ta "Reboot the machine"
|
|
.It Cm c Ta Dv SIGTSTP Ta "Block further logins"
|
|
.It Cm q Ta Dv SIGHUP Ta Rescan the
|
|
.Xr ttys 5
|
|
file
|
|
.El
|
|
.Sh DIAGNOSTICS
|
|
.Bl -diag
|
|
.It "getty repeating too quickly on port %s, sleeping."
|
|
A process being started to service a line is exiting quickly
|
|
each time it is started.
|
|
This is often caused by a ringing or noisy terminal line.
|
|
.Bf -emphasis
|
|
Init will sleep for 30 seconds,
|
|
then continue trying to start the process.
|
|
.Ef
|
|
.It "some processes would not die; ps axl advised."
|
|
A process
|
|
is hung and could not be killed when the system was shutting down.
|
|
This condition is usually caused by a process
|
|
that is stuck in a device driver because of
|
|
a persistent device error condition.
|
|
.El
|
|
.Sh FILES
|
|
.Bl -tag -width /etc/rc.shutdown -compact
|
|
.It Pa /dev/console
|
|
system console device
|
|
.It Pa /dev/tty*
|
|
terminal ports found in
|
|
.Xr ttys 5
|
|
.It Pa /var/run/utmp
|
|
record of current users on the system
|
|
.It Pa /var/log/wtmp
|
|
record of all logins and logouts
|
|
.It Pa /etc/ttys
|
|
the terminal initialization information file
|
|
.It Pa /etc/rc
|
|
system startup commands
|
|
.It Pa /etc/rc.shutdown
|
|
system shutdown commands
|
|
.El
|
|
.Sh SEE ALSO
|
|
.Xr kill 1 ,
|
|
.Xr login 1 ,
|
|
.Xr sh 1 ,
|
|
.Xr dummynet 4 ,
|
|
.Xr ipfirewall 4 ,
|
|
.Xr kld 4 ,
|
|
.Xr pf 4 ,
|
|
.Xr ttys 5 ,
|
|
.Xr crash 8 ,
|
|
.Xr getty 8 ,
|
|
.Xr halt 8 ,
|
|
.Xr ipfw 8 ,
|
|
.Xr jail 8 ,
|
|
.Xr pfctl 8 ,
|
|
.Xr rc 8 ,
|
|
.Xr reboot 8 ,
|
|
.Xr shutdown 8 ,
|
|
.Xr sysctl 8
|
|
.Sh HISTORY
|
|
An
|
|
.Nm
|
|
utility appeared in
|
|
.At v6 .
|
|
.Sh CAVEATS
|
|
Systems without
|
|
.Xr sysctl 8
|
|
behave as though they have security level \-1.
|
|
.Pp
|
|
Setting the security level above 1 too early in the boot sequence can
|
|
prevent
|
|
.Xr fsck 8
|
|
from repairing inconsistent file systems.
|
|
The
|
|
preferred location to set the security level is at the end of
|
|
.Pa /etc/rc
|
|
after all multi-user startup actions are complete.
|