File Flags

All Unix-like operating systems share a common permissions scheme, but OpenBSD (and most BSD-based operating systems) extends the permissions scheme with file flags. File flags work with permissions to change file security. Flags can make a file unchangeable, make it so that existing data cannot be removed and users can only add to the file, and produce several other effects. Some flags have functions unrelated to security, but we’ll pay special attention to the security flags. File flags are listed and documented in chflags(1).

File Flag Types

Many file flags have different effects depending on the system securelevel, which we’ll cover in the next section. Understanding how securelevels work requires an understanding of file flags, while file flags rely on securelevels. For the moment, just nod and smile when I mention securelevels while discussing file flags. All will become clear, trust me.

OpenBSD’s UFS and UFS2 filesystems support the following file flags:

sappnd

Files with the system-level append-only flag can be added to but cannot be removed or otherwise edited. The sappnd flag is particularly useful for log files. For example, a common intruder tactic is to remove .history or symlink it to /dev/null so that the administrator cannot see what happened. Setting sappnd on a user’s .history file can be interesting if the account is compromised. Using the sappnd flag ensures that intruders cannot cover their tracks in this manner. Only root can set or remove the sappnd flag, and it cannot be removed when the system is running at securelevel 1 or higher.

uappnd

The user-level append-only flag can be set only by the file owner or root. As with sappnd, a file with the uappnd flag can be added to but not otherwise edited or removed. This is most useful for personal logs and files; it primarily adds an extra layer of protection against users accidentally deleting their own files. The owner or root can set or remove this flag.

schg

Files with the system-level immutable flag cannot be changed in any way. They cannot be edited, moved, replaced, or overwritten. Basically, the filesystem itself prevents all attempts to alter this file. Only root can set or remove this flag, and it cannot be removed when the system is running at securelevel 1 or higher.

uchg

The user-level immutable flag prevents anyone from changing the file. It’s a user-level flag, so root can override it. This flag helps to prevent a file from being edited or removed by accident, but it’s not a way to secure the system. The owner or root can set or remove this flag at any securelevel.

nodump

The no dump flag tells dump(8) to not back up a file. Set this on files that don’t need to be backed up to tape. Check your backup program’s documentation to see if it honors this flag.

Setting, Viewing, and Removing File Flags

Set file flags with chflags(1). For example, if you are really worried about someone changing your kernel file, you could mark /bsd with the system-level immutable flag.

# chflags schg /bsd

This would prevent anyone—including you—from changing the kernel, reconfiguring the kernel, or upgrading the system.

You can also recursively change the file flags on an entire directory tree with the -R flag. If you wanted to make the entirety of /bin immutable, you would run this command:

# chflags -R schg /bin

And poof, you can no longer upgrade your system.

To view the flags on a file, use ls -lo.

$ ls -lo vitallog
-rw-r--r-- 1 root wheel - 20915343 Jul 17 16:56 vitallog

This file has no flags set on it. Let’s set the system-level append-only flag.

$ chflags sappnd vitallog
chflags: vitallog: Operation not permitted

Oh, right—only root can set system-level flags. Let’s try again:

$ sudo chflags sappnd vitallog
Password:
$ ls -lo vitallog
-rw-r--r-- 1 mwlucas mwlucas sappnd 20915343 Jul 17 16:56 vitallog

This file now has the sappnd flag. The system can add to it, but cannot otherwise edit or remove it.

OpenBSD doesn’t flag any files out of the box, so you’ll need to add flags yourself if you want them. Before you go nuts, however, note that adding file flags increases the overhead for system maintenance. If upgrading a system is hard, the sysadmin won’t want to do it. Is it more secure to have all your programs in /bin immutable, or is it more secure to simplify upgrades, updates, and application of security patches?

To remove a flag from a file, use chflags with a no before the flag name. For example, to unset the sappnd flag on the vitallog file, try this:

$ sudo chflags noschg vitallog
Password:
chflags: vitallog: Operation not permitted

Wait a minute! I’m running under sudo(8), and I have root-level privileges. What’s going on?

By default, OpenBSD runs at securelevel 1. When running at securelevel 1 or higher, you cannot unset system-level file flags, so an attempt to do so failed. You can remove these flags only at securelevel -1 or in single-user mode. Read on to learn about securelevels.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.17.76.175