smartmontools and kern.securelevel
ben.rubson at gmail.com
Fri Feb 23 16:46:14 UTC 2018
On 23 Feb 2018, Warner Losh wrote:
> On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at gmail.com> wrote:
>> I run smartmontools on my storage servers, to launch periodic disk tests
>> and alert on disk errors.
>> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does
>> not work anymore.
>> Certainly because it needs to write directly to raw devices.
>> (details of the levels, -1 to 3, in security(7))
>> Any workaround to this ?
>> Perhaps we could think about allowing SMART commands to be written to
>> disks when sysctl kern.securelevel >=2 ?
>> (I assume smartmontools writes SMART commands)
> Sending raw disks commands is inherently insecure. It's hard to create a
> list of those commands that are OK because of the complexity and
> diversity of the needed functionality. That complexity also makes it hard
> to put the commands into a series of ioctls which could be made more
Thank you for your feedback Warner.
Can't all SMART commands be easily identified among the others ? (when a
command arrives, does kernel sees it is SMART flagged ?)
Perhaps you assume some SMART commands may be dangerous for the disks' data
Thank you again,
More information about the freebsd-fs