From owner-freebsd-security  Mon Jun  3 10:15:30 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id KAA03980
          for security-outgoing; Mon, 3 Jun 1996 10:15:30 -0700 (PDT)
Received: from sea.campus.luth.se (sea.campus.luth.se [130.240.193.40])
          by freefall.freebsd.org (8.7.5/8.7.3) with SMTP id KAA03971
          for <freebsd-security@FreeBSD.org>; Mon, 3 Jun 1996 10:15:27 -0700 (PDT)
Received: (from karpen@localhost) by sea.campus.luth.se (8.6.12/8.6.12) id TAA06911 for freebsd-security@FreeBSD.org; Mon, 3 Jun 1996 19:15:38 +0200
Message-Id: <199606031715.TAA06911@sea.campus.luth.se>
Subject: Rm (was [linux-security])
To: freebsd-security@FreeBSD.org
Date: Mon, 3 Jun 1996 19:15:37 +0200 (MET DST)
From: "Mikael Karpberg" <karpen@sea.campus.luth.se>
In-Reply-To: <199606031515.QAA03397@cadair.elsevier.co.uk> from "Paul Richards" at Jun 3, 96 04:15:57 pm
X-Mailer: ELM [version 2.4 PL25 ME8b]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk


> Bruce> Root had better know how to clear flags using chflags -R.
> Bruce> FreeBSD's `rm' has been hacked to unconditionally turn off the
> Bruce> user append and immutable flags before attempting removals.
> Bruce> 4.4Lite2's rm still fails to remove user-append/immutable
> Bruce> files.
> 
> This doesn't make sense. What's the point of setting the immutable
> flag on something like the kernel if 'rm' has been hacked to disable it?
> 
> The normal file permissions would prevent ordinary users from deleting
> it and the one reason I'd want to set the immutable flag would be to
> stop me as root doing something stupid to it.

If you read Burce's text once more, you'll see he says "user append and
immutable flags". USER. That is, if rm is run by ROOT, and only then, will
it ignore the USER APPEND and USER IMMUTABLE flags and just delete is anyway.
This prevents a user from stopping root's rm, but root can still stop it,
since the SUPERUSER APPEND and SUPERUSER IMMUTABLE flags are not ignored.

To be exact:  if (!uid &&    /* only if root */
                  (st_flags & (UF_APPEND|UF_IMMUTABLE)) &&
		  !(st_flags & (SF_APPEND|SF_IMMUTABLE))) {
				/* go ahead */
	      }


  /Mikael