> Wait, there's more, I think:
>
> There's potentially a big lag between when inetd is started and
> when securelevel 1 is set.  Isn't this a window big enough to
> drive a truck through?  Extrapolate to taste for other daemons
> that get started in single user mode and take input from the
> net (eg mountd/nfsd).
>
> No amount of immutable bits will save us from this one - these
> daemons can't become active until securelevel is set to 1.

Isn't this something you could relatively easily fix with a call
to "sysctl -w kern.securelevel=1" placed at the appropriate spot
in the startup process?

- Havard