View and modify file flags
Author: Ivan Voras IvanVoras FreeBSD
Reviewer: name contact BSD flavour
Reviewer: name contact BSD flavour
Concept
Understand how file flags augment traditional Unix permissions and should recognize how to view and modify the immutable, append-only and undelete flags.
Introduction
All current BSD system support an additional mechanism for fine-grained tuning of file security called "file flags". Though similar, this should not be confused with standard Unix file access modes. The flags are:
archived
- The file may been archivedopaque
- The directory is opaque when viewed through a unionfs(((unionfs))) stacknodump
- The file is to be ignored by backup utilities (like dump(1))sappend
- The file can only be appended to (cannot change it's contents) by any and all usersschange
- The file can not be changed by any and all userssunlink
- The file cannot be unlinkeduappend
- The file can only be appended to by its owneruchange
- The file can only be changed by its owneruunlink
- The file can only be unlinked by its owner
Some of these flags can only be (re)set by the super-user. This includes archived
and all s*
flags.
A very important aspect of file flags is how they interact with securelevel
. When securelevel
is set to 1 or above, flags cannot be modified even by root, thus enabling creation of fortified system that cannot be damaged (deliberately or not) by the superuser. Note: Secure levels are covered in Determine the system's security level.
The ideas behind the security-related flags are:
- Log files should be append-only, thus preventing an attacker to mask his trail by modifying them
- In a similar vein, log files should be prevented from deletion (i.e. unlink)
- System configuration files, SUID files, and other (at administrator's discretion) must be prevented from unauthorized change.
Downsides of this approach are that most administrative tasks must be done in single user mode on the machine's console, and that log rotation cannot work or is very tricky to do.
Some utilities have been modified to natively support file flags. For example, ls
accepts -o
argument to display file flags for each file.
Examples
> chflags uappend important.log
(succeeds)
> ls -l important.log
-rw-r--r-- 1 ivoras ivoras 172 Jan 20 00:42 important.log
> ls -lo important.log
-rw-r--r-- 1 ivoras ivoras uappnd 172 Jan 20 00:42 important.log
> echo garbage > important.log
important.log: Operation not permitted.
> echo garbage >> important.log
(succeeds)
> mv important.log unimportant.log
important.log: Operation not permitted
Practice Exercises
- Set
sappend
flag to/var/log/security
and/var/log/userlog
. Investigate what happens when log rotation is attempted. - List files in
/usr/bin
and inspect their flags - notice that some are markedschange
(orschg
) by default. - Not all utilities understand BSD file flags - check your backup and file management tools.
More information
ls(1), chflags(1)