From nobody Fri Nov 12 22:29:24 2021
X-Original-To: current@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id A9C30183C25F
	for <current@mlmmj.nyi.freebsd.org>; Fri, 12 Nov 2021 22:29:35 +0000 (UTC)
	(envelope-from SRS0=Rtxb=P7=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (elsa.codelab.cz [94.124.105.4])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client did not present a certificate)
	by mx1.freebsd.org (Postfix) with ESMTPS id 4HrYDH3hKQz3kJN
	for <current@freebsd.org>; Fri, 12 Nov 2021 22:29:35 +0000 (UTC)
	(envelope-from SRS0=Rtxb=P7=quip.cz=000.fbsd@elsa.codelab.cz)
Received: from elsa.codelab.cz (localhost [127.0.0.1])
	by elsa.codelab.cz (Postfix) with ESMTP id B9F5428416;
	Fri, 12 Nov 2021 23:29:26 +0100 (CET)
Received: from illbsd.quip.test (ip-78-45-215-131.net.upcbroadband.cz [78.45.215.131])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by elsa.codelab.cz (Postfix) with ESMTPSA id AD8D228411;
	Fri, 12 Nov 2021 23:29:25 +0100 (CET)
Subject: Re: Extracting base.txz files missing flags
To: grarpamp <grarpamp@gmail.com>, current@freebsd.org
References: <87fss1rxfl.wl-herbert@gojira.at>
 <CAD2Ti2-gL-+jn949pGD9fkv_NS_ZCUqdx0S0giv=diJK0NT_1g@mail.gmail.com>
From: Miroslav Lachman <000.fbsd@quip.cz>
Message-ID: <72ea461d-6b16-a661-ac73-66aeb098208d@quip.cz>
Date: Fri, 12 Nov 2021 23:29:24 +0100
User-Agent: Mozilla/5.0 (X11; FreeBSD amd64; rv:68.0) Gecko/20100101
 Thunderbird/68.10.0
List-Id: Discussions about the use of FreeBSD-current <freebsd-current.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-current
List-Help: <mailto:freebsd-current+help@freebsd.org>
List-Post: <mailto:freebsd-current@freebsd.org>
List-Subscribe: <mailto:freebsd-current+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-current+unsubscribe@freebsd.org>
Sender: owner-freebsd-current@freebsd.org
MIME-Version: 1.0
In-Reply-To: <CAD2Ti2-gL-+jn949pGD9fkv_NS_ZCUqdx0S0giv=diJK0NT_1g@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-Rspamd-Queue-Id: 4HrYDH3hKQz3kJN
X-Spamd-Bar: ----
Authentication-Results: mx1.freebsd.org;
	none
X-Spamd-Result: default: False [-4.00 / 15.00];
	 REPLY(-4.00)[]
X-ThisMailContainsUnwantedMimeParts: N

On 12/11/2021 22:33, grarpamp wrote:
> Flags are not security since root will bypass everything.

Maybe you missed something - you cannot change flags when your system 
has security level (kern.securelevel) raised above 0. And this level 
cannot be lowered on running system, only at boot time. Also kernel 
modules cannot be loaded. See "man security" for more.

> While some may beg for anti-footshooting, but
> where might that cry end up... chflags -Rhx schg / .
> Nor should freebsd fill that role when local admins
> know best for and given their own individual environments.
> If local tendency is to run around as root and
> disrupt your filesystems so bad that even these...
>> ./libexec/ld-elf.so.1
>> ./libexec/ld-elf32.so.1
> ... get routinely wrecked, then you have bigger local
> problems to work on than freebsd can help you with :)

Kind regards
Miroslav Lachman