Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 5 May 1997 01:25:41 +0200 (MET DST)
From:      Wolfgang Helbig <helbig@MX.BA-Stuttgart.De>
To:        un_x@anchorage.net (Steve Howe)
Cc:        helbig@MX.BA-Stuttgart.De, fullermd@narcissus.ml.org, un_x@anchorage.net, questions@FreeBSD.ORG
Subject:   Re: permissions
Message-ID:  <199705042325.BAA01319@helbig.informatik.ba-stuttgart.de>
In-Reply-To: <Pine.BSF.3.95q.970504015345.21505C-100000@aak.anchorage.net> from Steve Howe at "May 4, 97 01:58:26 am"
next in thread | previous in thread | raw e-mail | index | archive | help 
> 
> > The file permissions are enforced by the kernel, i. e. even if some
> > userland software ignores the permissions, the kernel won't let
> > you write, read or execute in violation of the permission rules.
> 
> > If you are root -- more precisely if your UID is 0 -- the permission
> > rules allow you to read and write regardless of the permission
> > flags and owner of the file in question.
> 
> > To protect a file from root, you have to set the immutable flag
> > with the chflags(1) command.  E. g. this is done by the install
> > target of the kernel Makefile to prevent root from hosing the kernel
> > by changing or deleting it accidently.
> 
> > An
> 
> > $ ls -ol /kernel /kernel.old
> 
> > shows the setting of this flag:
> > 
> > -r-xr-xr-x  1 root  wheel  schg 793551  2 Mai 21:37 /kernel
> > -r-xr-xr-x  1 root  wheel  -    788710 26 Apr 19:36 /kernel.old
> 
> what's the purpose of the "uchg" flag for users then ... ?
> i can't write to a r--r--r-- file (owner=user, group=user)
> as a user ...

But anyone with write permission for the directory and the superuser
are free to move or delete the file.  This is not the case if the
uchg flag is set.

The motivation behind these file flags is not to protect the
authorized user from his own mistakes but to enhance security.  An
intruder who managed to become superuser will not be able to change
the schg if the system is running in secure mode (security level
one).

Wolfgang

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705042325.BAA01319>