On 29.05.2014 12:56, Vladimir Sharun wrote: > Hello, > >> if you have root privileges you can just write some random bytes in some >> places and this will be enough to break your system. So, restricting >> some gpart's or zpool's actions depending from securelevel looks like >> protection from kids. > > Having root under securelevel 3 confirmed disallows you to: > 1) Direct write to the block devices such as (a)da > 2) Change rules and/or shutdown pf > 3) Remove system flags such as schg, sunlnk > > I think your statement true in case of securelevel -1, we're talking about > the highest one - 3, which shown in logs. Ok, you are right. But geom_dev restricts access only from user level applications. When GEOM object does access directly via GEOM methods this protection won't work. And it seems it isn't easy to fix, all classes should have own check. -- WBR, Andrey V. Elsukov
This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:40:49 UTC