From nobody Fri Apr 04 19:55:56 2025
X-Original-To: freebsd-questions@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4ZTq9G2pm5z5sLRr
	for <freebsd-questions@mlmmj.nyi.freebsd.org>; Fri, 04 Apr 2025 19:56:02 +0000 (UTC)
	(envelope-from Albert.Shih@obspm.fr)
Received: from mx-p1.obspm.fr (mx-p1.obspm.fr [145.238.193.20])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "*.obspm.fr", Issuer "GEANT OV RSA CA 4" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4ZTq9F2DL6z3wK2
	for <freebsd-questions@freebsd.org>; Fri, 04 Apr 2025 19:56:01 +0000 (UTC)
	(envelope-from Albert.Shih@obspm.fr)
Authentication-Results: mx1.freebsd.org;
	dkim=pass header.d=obspm.fr header.s=mail header.b=OURKJSJ8;
	dmarc=pass (policy=none) header.from=obspm.fr;
	spf=pass (mx1.freebsd.org: domain of Albert.Shih@obspm.fr designates 145.238.193.20 as permitted sender) smtp.mailfrom=Albert.Shih@obspm.fr
X-AuthUser: jas
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=obspm.fr; s=mail;
	t=1743796558; bh=Yb4OKTqJXvs1BxLpCv+O9hVwaNIi5uxQx+0sNoK6lXA=;
	h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
	b=OURKJSJ8Gc2vV4di1vFv3eU/aTuvTQ61YNXUjGnXnt2sYM3nfc72EJ7mHlRVjsFJ9
	 ckOdCIBjhgN9Uz8Uh6l9A6ONOftxwjB2pImt2aAqJ2KvisPnU/DH0/SwpBys1b0prO
	 61Q+SXu1qqsDQdghIHyMfouolddRa4xEcfv5lUz2PXDbi9ltCirpXNgFvV0IHsM5pa
	 YMPPagP+KxTUHues1pm8ByHV/gCvL0rrnwmb8ZKIBQHlhMWjp0Gjz7fH7zB4j69cwh
	 rBjduoYUXwMRFJud4UY+z7jdluaQThgntNO9pKe9H5JtPH6P9nYlhxbOkSJyai7A6M
	 +yI8GJ20KWPEw==
Received: from io.chezmoi.fr (vpn.obspm.fr [145.238.186.39])
	(authenticated bits=0)
	by mx-p1.obspm.fr (8.15.2/8.15.2/DIO Observatoire de Paris - 15/04/10) with ESMTPSA id 534JtuXb3397793
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT);
	Fri, 4 Apr 2025 21:55:58 +0200
Date: Fri, 4 Apr 2025 21:55:56 +0200
From: Albert Shih <Albert.Shih@obspm.fr>
To: Aryeh Friedman <aryeh.friedman@gmail.com>
Cc: Paul Procacci <pprocacci@gmail.com>, freebsd-questions@freebsd.org
Subject: Re: Securing FreeBSD.
Message-ID: <Z_A5THon7ol-nNA8@io.chezmoi.fr>
References: <Z_ATQA2k-3umIaLo@io.chezmoi.fr>
 <CAFbbPugC7PfK__+4_vbHOtPSeMdU2XO3FU5AdSkpsi9taq=7rQ@mail.gmail.com>
 <Z_AmlH-_jA0Advng@io.chezmoi.fr>
 <CAGBxaXk819uEkV2fvJV0v3Eewr7YM29yMrqZJ8eewOerG5OSVQ@mail.gmail.com>
List-Id: User questions <freebsd-questions.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-questions
List-Help: <mailto:questions+help@freebsd.org>
List-Post: <mailto:questions@freebsd.org>
List-Subscribe: <mailto:questions+subscribe@freebsd.org>
List-Unsubscribe: <mailto:questions+unsubscribe@freebsd.org>
X-BeenThere: freebsd-questions@freebsd.org
Sender: owner-freebsd-questions@FreeBSD.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
In-Reply-To: <CAGBxaXk819uEkV2fvJV0v3Eewr7YM29yMrqZJ8eewOerG5OSVQ@mail.gmail.com>
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.6.2 (mx-p1.obspm.fr [145.238.193.20]); Fri, 04 Apr 2025 21:55:58 +0200 (CEST)
X-Virus-Scanned: clamav-milter 1.0.7 at mx-p1
X-Virus-Status: Clean
X-Spamd-Result: default: False [-5.69 / 15.00];
	DWL_DNSWL_LOW(-1.00)[obspm.fr:dkim];
	NEURAL_HAM_LONG(-1.00)[-1.000];
	NEURAL_HAM_MEDIUM(-1.00)[-1.000];
	NEURAL_HAM_SHORT(-0.99)[-0.986];
	RCVD_DKIM_ARC_DNSWL_MED(-0.50)[];
	DMARC_POLICY_ALLOW(-0.50)[obspm.fr,none];
	RCVD_IN_DNSWL_MED(-0.40)[145.238.193.20:from,145.238.186.39:received];
	ONCE_RECEIVED(0.20)[];
	R_DKIM_ALLOW(-0.20)[obspm.fr:s=mail];
	R_SPF_ALLOW(-0.20)[+ip4:145.238.193.20];
	MIME_GOOD(-0.10)[text/plain];
	RCVD_TLS_ALL(0.00)[];
	FREEMAIL_TO(0.00)[gmail.com];
	FREEMAIL_CC(0.00)[gmail.com,freebsd.org];
	ARC_NA(0.00)[];
	MIME_TRACE(0.00)[0:+];
	DKIM_TRACE(0.00)[obspm.fr:+];
	RCVD_COUNT_ONE(0.00)[1];
	MISSING_XM_UA(0.00)[];
	MLMMJ_DEST(0.00)[freebsd-questions@freebsd.org];
	TO_MATCH_ENVRCPT_SOME(0.00)[];
	FROM_EQ_ENVFROM(0.00)[];
	RCPT_COUNT_THREE(0.00)[3];
	TAGGED_RCPT(0.00)[];
	ASN(0.00)[asn:2200, ipnet:145.238.0.0/16, country:FR];
	RCVD_VIA_SMTP_AUTH(0.00)[];
	TO_DN_SOME(0.00)[];
	FROM_HAS_DN(0.00)[]
X-Rspamd-Queue-Id: 4ZTq9F2DL6z3wK2
X-Spamd-Bar: -----

Le 04/04/2025 à 14:40:28-0400, Aryeh Friedman a écrit
> On Fri, Apr 4, 2025 at 2:36 PM Albert Shih <Albert.Shih@obspm.fr> wrote:
> >
> > Le 04/04/2025 à 13:23:38-0400, Paul Procacci a écrit
> > > On Fri, Apr 4, 2025 at 1:14 PM Albert Shih <Albert.Shih@obspm.fr> wrote:
> > > >
> > > >
> > >
> > > So you want to be root, without having the power of root.
> > > Try logging into the system with a different user and the problem is
> > > solved -- tongue and cheek.
> >
> > No, I want to make the system in a state where root *cannot* remove some
> > file.
> 
> Isn't the very definition of root (superuser) is that they can do *ANYTHING*?

Well....not always...try this :

  echo 'kern.securelevel=2' >> /etc/sysctl.conf
  chflags schg /etc/sysctl.conf
  sysctl kern.securelevel=2
  touch /root/file
  chflags schg /root/file

and tell me how you will remove the file

  /root/file

without be in the front of the server (no IPMI, no drac etc.)

Regards
-- 
Albert SHIH 🦫 🐸
France
Heure locale/Local time:
ven. 04 avril 2025 21:20:38 CEST