smartmontools and kern.securelevel
Ben RUBSON
ben.rubson at gmail.com
Fri Feb 23 16:46:14 UTC 2018
On 23 Feb 2018, Warner Losh wrote:
> On Fri, Feb 23, 2018 at 8:20 AM, Ben RUBSON <ben.rubson at gmail.com> wrote:
>
>> Hi,
>>
>> I run smartmontools on my storage servers, to launch periodic disk tests
>> and alert on disk errors.
>>
>> Unfortunately, if we set sysctl kern.securelevel >=2, smartmontools does
>> not work anymore.
>> Certainly because it needs to write directly to raw devices.
>> (details of the levels, -1 to 3, in security(7))
>>
>> Any workaround to this ?
>>
>> Perhaps we could think about allowing SMART commands to be written to
>> disks when sysctl kern.securelevel >=2 ?
>> (I assume smartmontools writes SMART commands)
>
> Sending raw disks commands is inherently insecure. It's hard to create a
> list of those commands that are OK because of the complexity and
> diversity of the needed functionality. That complexity also makes it hard
> to put the commands into a series of ioctls which could be made more
> secure.
Thank you for your feedback Warner.
Can't all SMART commands be easily identified among the others ? (when a
command arrives, does kernel sees it is SMART flagged ?)
Perhaps you assume some SMART commands may be dangerous for the disks' data
itself ?
Thank you again,
Ben
More information about the freebsd-scsi
mailing list