In comp.unix.bsd.openbsd.misc Logan Shaw <lshaw-usenet@austin.rr.com> wrote:
> Karen Hill wrote:
>> Stefaan A Eeckels wrote:
>>> On 1 Sep 2006 12:28:12 -0700
>>> "Karen Hill" <karen_hill22@yahoo.com> wrote:
>>>
>>>> Immutable files are files where not even root
>>>> can change/delete/move a file set as immutable.
>>> But root can unset the immutable flag. Thus it only serves as
>>> protection against accidental deletions or modifications. This is
>>> slightly useful. Roles are better for that purpose.
>>
>> Not when they are at a networked run level according to the OpenBSD man
>> page on the subject. They would have to reboot, or bring it down to
>> single user mode to do that.
>
> Do you mean they'd have to reboot to do it at all, or do you mean that
> they'd have to reboot to do it in a supported manner? I strongly
> suspect it's the latter. After all, at some level, it's all bits and
> bytes (both on disk and in RAM), so if you can execute privileged
> instructions on the processor, you can do whatever you want, period.

I am not currently aware of any way to change the runlevel from a
running OpenBSD system - by design, root cannot execute kernel-level
('priviliged' in your message, I believe) code.

One of the ways of doing this is denying access to kernel memory - see
mem(4), securelevel(7) on a OpenBSD system.

However, see my other message...

Joachim