gpart destroy, zpool destroy, zfs destroy under securelevel 3
Andrey V. Elsukov
bu7cher at yandex.ru
Thu May 29 09:29:19 UTC 2014
On 29.05.2014 12:56, Vladimir Sharun wrote:
> Hello,
>
>> if you have root privileges you can just write some random bytes in some
>> places and this will be enough to break your system. So, restricting
>> some gpart's or zpool's actions depending from securelevel looks like
>> protection from kids.
>
> Having root under securelevel 3 confirmed disallows you to:
> 1) Direct write to the block devices such as (a)da
> 2) Change rules and/or shutdown pf
> 3) Remove system flags such as schg, sunlnk
>
> I think your statement true in case of securelevel -1, we're talking about
> the highest one - 3, which shown in logs.
Ok, you are right. But geom_dev restricts access only from user level
applications. When GEOM object does access directly via GEOM methods
this protection won't work. And it seems it isn't easy to fix, all
classes should have own check.
--
WBR, Andrey V. Elsukov
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-current/attachments/20140529/c836650f/attachment.sig>
More information about the freebsd-current
mailing list