[wplug-bsd] chflags(1)

Bill Moran wmoran at potentialtech.com
Fri Sep 8 06:33:09 EDT 2006 

Brandon Kuczenski <brandon at 301south.net> wrote:

> I recently observed that my FreeBSD system has a chflags(1) command which 
> "modifies the file flags of the listed files," including, for example, 
> whether writes to a file may only append, whether it is 'opaque wrt. 
> union' (there's no manpage for union)

man mount_unionfs

> and so on.  There's no similar 
> command on my Linux system, and indeed it looks like chflags(2) is a 
> system call that is specific to BSD (the man page says it first appeared 
> in BSD 4.4 -- I love BSD..  It's a reference library as well as an 
> operating system.)

Really?  Odd that I never realized that chflags was a BSDism ...

> So my question (which may be somewhat tenuously topical to the list) is, 
> whether this animal seen much in the wild-- do people use this feature? 
> What is it most useful for?  Is it endemic to the ufs filesystem, or 
> general to the operating system?

chflags adds a level of security that is ignored by a lot of people these
days.  It's a shame, becuase it's neat stuff.

Read man init for a starter.

The neat thing you can do with immutable and append only flags is set them,
and they can't be unset without rebooting the system, even by root.  This
is done in conjunction with rasing the kernel secure level.
So:
1) Set up your system while the securelevel is 0
2) Set immutable and append only flags wherever appropriate
3) Configure the system to boot up to a secure level > 0
4) Those files marked immutable/append only can not be changed, ever,
   unless the system is rebooted.

By doing this intelligently, you can protect yourself from rootkits and
other compromises, even when those compromises involve root access.

-- 
Bill Moran

JAYNE: It ain't impossible! Saint Jayne, It's got a ring to it.
BOOK: I'm just trying to remember how many miracles you've performed.
JAYNE: I once hit a guy in the neck at five hundred yards with a bent scope,
       don't that count upstairs?
BOOK: Oh, it'll be taken into consideration...
JAYNE: Well you make that sound kinda ominous...

More information about the wplug-bsd mailing list