Trilight Zone

[thedark]

We have some internal application developed to manage the users and other stuff. However some admin still some time make changes /etc/passwd or /etc/master.passwd via sudo. Then the idea of file write protection comes. I suggested to use them chflags. This way perl based app can change the flags add/modify user and again write protect the files and make changes in mysql databases and normal admin cannot make changes at command line.

This kind of write protection can be set under FreeBSD using the special bit call immutable by root user only. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit.

You must be a root user to setup or clear the immutable bit.

A) Setup file immutable bit
Use chflags command as follows:
#chflags schg /tmp/test.doc

Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc
rm: /tmp/test.doc: Operation not permitted

Don't be supriesed even root is not allowed to remove or modify file. This is useful to protect important file such as /etc/passwd, /etc/master.passwd etc.

B) Display if file immutable bit is on or off:
ls -lo /tmp/test.doc
-rw-r--r-- 1 root wheel schg 19 Jun 29 22:22 /tmp/test.doc

C)Clear or remove file immutable bit:
#chflags noschg /tmp/test.doc

Now you can remove or modify file. Please note that immutable flag can be set by root user only. chflags also supports few other interesting flags.

arch: set the archived flag
nodump: set the nodump flag
sappnd: set the system append-only flag
schg: set the system immutable flag
sunlnk: set the system undeletable flag
uappnd: set the user append-only flag
uchg: set the user immutable flag
uunlnk: set the user undeletable flag

Putting the letters ``no'' before an option causes the flag to be turned off.