13.1. | What is a sandbox? |
“Sandbox” is a security term. It can mean two things:
UNIX® implements two core sandboxes. One is at the process level, and one is at the userid level. Every UNIX® process is completely firewalled off from every other UNIX® process. One process cannot modify the address space of another. A UNIX® process is owned by a particular userid. If
the user ID is not the | |
13.2. | What is securelevel? |
To check the status of the securelevel on a running system:
The output contains the current value of the securelevel. If it is greater than 0, at least some of the securelevel's protections are enabled. The securelevel of a running system cannot be lowered
as this would defeat its purpose. If a task requires that
the securelevel be non-positive, change the
For more information on securelevel and the specific things all the levels do, consult init(8). Warning:Securelevel is not a silver bullet; it has many known deficiencies. More often than not, it provides a false sense of security. One of its biggest problems is that in order for it to be at all effective, all files used in the boot process up until the securelevel is set must be protected. If an attacker can get the system to execute their code prior to the securelevel being set (which happens quite late in the boot process since some things the system must do at start-up cannot be done at an elevated securelevel), its protections are invalidated. While this task of protecting all files used in the boot process is not technically impossible, if it is achieved, system maintenance will become a nightmare since one would have to take the system down, at least to single-user mode, to modify a configuration file. This point and others are often discussed on the mailing lists, particularly the FreeBSD security mailing list. Search the archives here for an extensive discussion. A more fine-grained mechanism is preferred. | |
13.3. | What is this UID 0 |
Do not worry. Some people use |
All FreeBSD documents are available for download at https://download.freebsd.org/ftp/doc/
Questions that are not answered by the
documentation may be
sent to <freebsd-questions@FreeBSD.org>.
Send questions about this document to <freebsd-doc@FreeBSD.org>.