Date: Fri, 4 Apr 2025 13:23:38 -0400 From: Paul Procacci <pprocacci@gmail.com> To: Albert Shih <Albert.Shih@obspm.fr> Cc: freebsd-questions@freebsd.org Subject: Re: Securing FreeBSD. Message-ID: <CAFbbPugC7PfK__%2B4_vbHOtPSeMdU2XO3FU5AdSkpsi9taq=7rQ@mail.gmail.com> In-Reply-To: <Z_ATQA2k-3umIaLo@io.chezmoi.fr>
index | next in thread | previous in thread | raw e-mail
On Fri, Apr 4, 2025 at 1:14 PM Albert Shih <Albert.Shih@obspm.fr> wrote:
>
> Hi everyone.
>
> Is they are any way to secure a FreeBSD to prevent destroying data ?
>
> I find out even with
>
> kern.securelevel=2
>
> root can still do something like
>
> umount /data
> gpart delete -i 1 dev_under_data
>
> then create something different with for example
>
> gpart add -t something -a somethingdifferentfrominit dev_under_data
>
> I also try zfs, but zpool can still be use to destroy every pool.
>
> Currently the only solution I find is to create a huge / and store data
> under / (no a partition), because I'm guessing it would be hard to umount /
>
> Any other solution ?
>
> For example, I see with securelevel=2 the «bad guy» would be unable to
> create a new filesystem, so is they are any way to backup the «partition
> table» ? And put them back after he create another ?
>
> Regards
>
> --
> Albert SHIH 🦫 🐸
> Heure locale/Local time:
> ven. 04 avril 2025 19:06:58 CEST
>
So you want to be root, without having the power of root.
Try logging into the system with a different user and the problem is
solved -- tongue and cheek.
Anything root can do, it can also undo. There's no way around that.
~Paul
--
__________________
:(){ :|:& };:
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFbbPugC7PfK__%2B4_vbHOtPSeMdU2XO3FU5AdSkpsi9taq=7rQ>