From owner-freebsd-current@FreeBSD.ORG Thu May 29 08:12:19 2014 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 78995571; Thu, 29 May 2014 08:12:19 +0000 (UTC) Received: from forward3l.mail.yandex.net (forward3l.mail.yandex.net [IPv6:2a02:6b8:0:1819::3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "forwards.mail.yandex.net", Issuer "Certum Level IV CA" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 3011A2B98; Thu, 29 May 2014 08:12:19 +0000 (UTC) Received: from smtp4h.mail.yandex.net (smtp4h.mail.yandex.net [84.201.186.21]) by forward3l.mail.yandex.net (Yandex) with ESMTP id AD4BA150103F; Thu, 29 May 2014 12:12:15 +0400 (MSK) Received: from smtp4h.mail.yandex.net (localhost [127.0.0.1]) by smtp4h.mail.yandex.net (Yandex) with ESMTP id 1B9762C36DE; Thu, 29 May 2014 12:12:14 +0400 (MSK) Received: from 5.255.234.249-red.dhcp.yndx.net (5.255.234.249-red.dhcp.yndx.net [5.255.234.249]) by smtp4h.mail.yandex.net (nwsmtp/Yandex) with ESMTPSA id KikQbClU3L-CEFaEWin; Thu, 29 May 2014 12:12:14 +0400 (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client certificate not present) X-Yandex-Uniq: ac8ee6fe-8f90-49ad-a5f9-e48e66980a22 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yandex.ru; s=mail; t=1401351134; bh=GzIS2P8JCN/xj1TP2EZmR1uD3WvxW7DC+hnbkWU8st8=; h=Message-ID:Date:From:User-Agent:MIME-Version:To:Subject: References:In-Reply-To:X-Enigmail-Version:Content-Type: Content-Transfer-Encoding; b=IuPhk4nNXEUpDPkOPichHCRJFibwghtXebFxwYD/xvjxhWW0YNWoFhybd9ugNevSR zv/0yZKDDeWlO8fsgMQmSe3Gv0VV5qvtuBw82fbzyDvgsbfNTJHfBkUQIGaDEhaGDO Pv7WX0zIsNDGLGdbtBwXNM1f5q6MwiAUdcnjOCJ8= Authentication-Results: smtp4h.mail.yandex.net; dkim=pass header.i=@yandex.ru Message-ID: <5386EBC6.2090306@yandex.ru> Date: Thu, 29 May 2014 12:11:50 +0400 From: "Andrey V. Elsukov" User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:24.0) Gecko/20100101 Thunderbird/24.5.0 MIME-Version: 1.0 To: Vladimir Sharun , Current FreeBSD Subject: Re: gpart destroy, zpool destroy, zfs destroy under securelevel 3 References: <1401109957.895077023.n4pnr8ak@frv45.fwdcdn.com> In-Reply-To: <1401109957.895077023.n4pnr8ak@frv45.fwdcdn.com> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.18 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 29 May 2014 08:12:19 -0000 On 26.05.2014 17:31, Vladimir Sharun wrote: > Hello FreeBSD community, > > Recently plays with securelevel and what I discover: no chance for > data to survive against remote root, except backups of course. Maybe > this log can be a proposal for raising securelevel further or include > securelevel support against the software which can deal with zfs and > GEOM labels ? Hi, if you have root privileges you can just write some random bytes in some places and this will be enough to break your system. So, restricting some gpart's or zpool's actions depending from securelevel looks like protection from kids. -- WBR, Andrey V. Elsukov