>> [...] it seems to me that a machine that to which you have console
>> access that also has ddb is not much more secure than a dos
>> machine...

Probably true.  Even if securelevel can't be patched directly, there
are lots of other interesting things you can do, like patching the
p_cred->cr_uid field for your shell, or diking out certain suser()
calls in the kernel text segment.

> But what i was saying was that if you have physical access to a
> machine (which is different from mere console access), you can do as
> you please with it.  At the very worst, plug a floppy in and boot
> from there (DOS, and then use a sector editor...)

Heh.  _Real_ machines have PROM passwords so that you-the-sysadmin can
prevent booting from alternative media by people ignorant of the
password.  (Remember, not everything runs DOS, either - this _is_
current-users, not port-i386.)  (Though as you say, given physical
access and the time and knowledge to use it to good advantage, you can
work around such things.  "One more hurdle"....)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B