This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --7WrU8S3vKrR0WAUtIChkKBW374igPrhjm Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 29.05.2014 12:56, Vladimir Sharun wrote: > Hello, >=20 >> if you have root privileges you can just write some random bytes in so= me >> places and this will be enough to break your system. So, restricting >> some gpart's or zpool's actions depending from securelevel looks like >> protection from kids. >=20 > Having root under securelevel 3 confirmed disallows you to: > 1) Direct write to the block devices such as (a)da > 2) Change rules and/or shutdown pf > 3) Remove system flags such as schg, sunlnk >=20 > I think your statement true in case of securelevel -1, we're talking ab= out > the highest one - 3, which shown in logs. Ok, you are right. But geom_dev restricts access only from user level applications. When GEOM object does access directly via GEOM methods this protection won't work. And it seems it isn't easy to fix, all classes should have own check. --=20 WBR, Andrey V. Elsukov --7WrU8S3vKrR0WAUtIChkKBW374igPrhjm Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (FreeBSD) iQEcBAEBAgAGBQJThv3LAAoJEAHF6gQQyKF6TzcIALvO66qLoaOi0ehkaUk5L2LN ZuqjW9F+ZEWg8hrMEKWJCUO8iOJXKPow1QDsfguIizgJfAVY779Ebl9RygIF6QLV 35Cfbuy628z3MmXtoWt/LUK5DxGvm91jMCTXrq3e4qUjENzYNsc3AlJ6spsWvOUA 9t34MQk6dL3dvZEWtqPfrrJTN6+z/44bIRKlkMgrUPTfAini0Ka5Rc+XYOpNK7H+ uM2DgBsr8kUeJotA+nN6CsnAhoSxE8acM8aKEM/bycFpfppifcfh2+Yw4Nvdbn72 M+7bw2LqbSW/mMCYdLhTqetegXf602AI3ybjYCTSFnwaHCghZnTyO1URf++7/B4= =t3yb -----END PGP SIGNATURE----- --7WrU8S3vKrR0WAUtIChkKBW374igPrhjm--