Wednesday, July 06, 2005

FreeBSD Tip

After a long time putting up a FreeBSD tip :

How to write protect important file (even root can NOT modify/delete it)

If you have some internal application developed to manage the users and other stuff. However some admin still some time make changes /etc/passwd or /etc/master.passwd via sudo. Then the idea of file write protection comes. I suggested to use them chflags.

This kind of write protection can be set under FreeBSD using the special bit call immutable by root user only. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit.

You must be a root user to setup or clear the immutable bit.

1. Setup file immutable bit
Use chflags command as follows:
#chflags schg /tmp/test.doc

Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc
rm: /tmp/test.doc: Operation not permitted

Don't be supriesed even root is not allowed to remove or modify file. This is useful to protect important file such as /etc/passwd, /etc/master.passwd etc.

2. Display if file immutable bit is on or off:
ls -lo /tmp/test.doc
-rw-r--r-- 1 root wheel schg 19 Jun 29 22:22 /tmp/test.doc

3. Clear or remove file immutable bit:
#chflags noschg /tmp/test.doc

Now you can remove or modify file. Please note that immutable flag can be set by root user only. chflags also supports few other interesting flags.

arch: set the archived flag
nodump: set the nodump flag
sappnd: set the system append-only flag
schg: set the system immutable flag
sunlnk: set the system undeletable flag
uappnd: set the user append-only flag
uchg: set the user immutable flag
uunlnk: set the user undeletable flag

Putting the letters ``no'' before an option causes the flag to be turned off.

It is possible to do this in Linux too ;) using the chattr command. For more info on it do man chattr.

Also you can explore various linux options to view these attributes using the man ls and checking out the options

Nitin :)


Post a Comment

<< Home