smartmontools and kern.securelevel

Warner Losh imp at bsdimp.com
Fri Feb 23 15:25:13 UTC 2018


On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at gmail.com> wrote:

> Hi,
>
> I run smartmontools on my storage servers, to launch periodic disk tests
> and alert on disk errors.
>
> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does
> not work anymore.
> Certainly because it needs to write directly to raw devices.
> (details of the levels, -1 to 3, in security(7))
>
> Any workaround to this ?
>
> Perhaps we could think about allowing SMART commands to be written to
> disks when sysctl kern.securelevel >=2 ?
> (I assume smartmontools writes SMART commands)
>

Sending raw disks commands is inherently insecure. It's hard to create a
list of those commands that are OK because of the complexity and diversity
of the needed functionality. That complexity also makes it hard to put the
commands into a series of ioctls which could be made more secure.

Warner


More information about the freebsd-scsi mailing list