On 12/11/2021 22:33, grarpamp wrote:
Flags are not security since root will bypass everything.
Maybe you missed something - you cannot change flags when your system
has security level (kern.securelevel) raised above 0. And this level
cannot be lowered on running system, only at boot time. Also kernel
modules cannot be loaded. See "man security" for more.
While some may beg for anti-footshooting, but
where might that cry end up... chflags -Rhx schg / .
Nor should freebsd fill that role when local admins
know best for and given their own individual environments.
If local tendency is to run around as root and
disrupt your filesystems so bad that even these...
./libexec/ld-elf.so.1
./libexec/ld-elf32.so.1
... get routinely wrecked, then you have bigger local
problems to work on than freebsd can help you with :)
Kind regards
Miroslav Lachman
