> ya...@sdf.org wrote: >> > I think the man page says flags can only be unset in single user mode. >> >> Yes and no... >> This unset behavior IS mentioned in secmodel_securelevel(9) [thanks Jan] >> But not that I can see in chflags(1) > > It is now: > https://mail-index.netbsd.org/source-changes/2023/05/18/msg144818.html
FWIW, I was successful in temporarily booting with kernel security level -1 in multi-user, to remove the flags. That was important to me because my server is somewhat remote and single-user console is cumbersome... As to the commit, would it be possible to add a link to secmodel_securelevel(9) in chflags(1) in addition to the note in the current revision? On a side note, thinking about this immutable flag mechanism, I can certainly see the use case to harden a server. But, in a case like mine where I naively walked into it, if I could disable the flags mechanism with a kernel flag (?) I'd probably select this option unless my use case requires hardening...
