This is the BSDA Study Guide Book written via a
This is a work in progress. You may contribute to or discuss this specific page at http://bsdwiki.reedmedia.net/wiki/View_and_modify_file_flags.html.
View and modify file flags
Author: Ivan Voras IvanVoras FreeBSD
Understand how file flags augment traditional
Unix permissions and should recognize how to view and modify the immutable,
append-only and undelete flags.
All current BSD system support an additional mechanism for fine-grained tuning of file security called "file flags". Though similar, this should not be confused with standard Unix file access modes. The flags are:
archived - The file may been archived
opaque - The directory is opaque when viewed through a unionfs stack
nodump - The file is to be ignored by backup utilities (like dump(1))
sappend - The file can only be appended to (cannot change it's contents) by any and all users
schange - The file can not be changed by any and all users
sunlink - The file cannot be unlinked
uappend - The file can only be appended to by its owner
uchange - The file can only be changed by its owner
uunlink - The file can only be unlinked by its owner
Some of these flags can only be (re)set by the super-user. This includes
archived and all
A very important aspect of file flags is how they interact with
securelevel is set to 1 or above, flags cannot be modified even by root, thus enabling creation of fortified system that cannot be damaged (deliberately or not) by the superuser. Note: Secure levels are covered in Determine the system's security level.
The ideas behind the security-related flags are:
- Log files should be append-only, thus preventing an attacker to mask his trail by modifying them
- In a similar vein, log files should be prevented from deletion (i.e. unlink)
- System configuration files, SUID files, and other (at administrator's discretion) must be prevented from unauthorized change.
Downsides of this approach are that most administrative tasks must be done in single user mode on the machine's console, and that log rotation cannot work or is very tricky to do.
Some utilities have been modified to natively support file flags. For example,
-o argument to display file flags for each file.
> chflags uappend important.log
> ls -l important.log
-rw-r--r-- 1 ivoras ivoras 172 Jan 20 00:42 important.log
> ls -lo important.log
-rw-r--r-- 1 ivoras ivoras uappnd 172 Jan 20 00:42 important.log
> echo garbage > important.log
important.log: Operation not permitted.
> echo garbage >> important.log
> mv important.log unimportant.log
important.log: Operation not permitted
sappend flag to
/var/log/userlog. Investigate what happens when log rotation is attempted.
- List files in
/usr/bin and inspect their flags - notice that some are marked
schg) by default.
- Not all utilities understand BSD file flags - check your backup and file management tools.