[wplug-bsd] chflags(1)

Tom Rhodes trhodes at FreeBSD.org
Fri Sep 8 06:45:50 EDT 2006


On Fri, 8 Sep 2006 06:33:09 -0400
Bill Moran <wmoran at potentialtech.com> wrote:

> Brandon Kuczenski <brandon at 301south.net> wrote:
> 
> > I recently observed that my FreeBSD system has a chflags(1) command which 
> > "modifies the file flags of the listed files," including, for example, 
> > whether writes to a file may only append, whether it is 'opaque wrt. 
> > union' (there's no manpage for union)
> 
> man mount_unionfs
> 
> > and so on.  There's no similar 
> > command on my Linux system, and indeed it looks like chflags(2) is a 
> > system call that is specific to BSD (the man page says it first appeared 
> > in BSD 4.4 -- I love BSD..  It's a reference library as well as an 
> > operating system.)
> 
> Really?  Odd that I never realized that chflags was a BSDism ...

Yep.  :)

> 
> > So my question (which may be somewhat tenuously topical to the list) is, 
> > whether this animal seen much in the wild-- do people use this feature? 
> > What is it most useful for?  Is it endemic to the ufs filesystem, or 
> > general to the operating system?
> 
> chflags adds a level of security that is ignored by a lot of people these
> days.  It's a shame, becuase it's neat stuff.

Yep, IIRC, the secure level uses it.  I've used it before, to
ensure while working in a directory I didn't "accidently" clobber
some files.  I've also seen it used in some of our operating system
build scripts.  Mainly the release stuff.  See the listing of
octal values in the latter chflags(1) manual page?  I added
those.  ;)

> 
> Read man init for a starter.
> 
> The neat thing you can do with immutable and append only flags is set them,
> and they can't be unset without rebooting the system, even by root.  This
> is done in conjunction with rasing the kernel secure level.

Just so you know, ONLY in conjuction.  If the system securelevel is
at a low setting (-1 for example) this statement becomes false.
Different flags have different capabilities; nodump, for example,
will block dump(8) from backing up the file.  The schg can only be
cleared by the root user, who of course, is the only one able to set
such a flag.

> So:
> 1) Set up your system while the securelevel is 0
> 2) Set immutable and append only flags wherever appropriate
> 3) Configure the system to boot up to a secure level > 0
> 4) Those files marked immutable/append only can not be changed, ever,
>    unless the system is rebooted.
> 
> By doing this intelligently, you can protect yourself from rootkits and
> other compromises, even when those compromises involve root access.

And carefully.  Don't forget what files have this setting.

We also have a ton of other neat security tools, check them
out.  :)

-- 
Tom Rhodes


More information about the wplug-bsd mailing list