Operating systems

FreeBSD file flags enhance Unix filesystem security

POSIX compliant Unix file permissions can be reinforced by additional filesystem protections called "file flags" on FreeBSD. Chad Perrin explains in detail what these flags do.

In addition to standard Unix file permissions, FreeBSD offers an additional layer of file-level security that applies to non-directory files, known as "file flags."

File flags can be used even to prevent the root user account from altering or deleting files -- something that POSIX compliant Unix file permissions cannot do. To check the flags set for a given flag, use the -lo options for ls:

  > ls -lo foobar.pdf

-rwxrwxr-- 1 bob bob - 0 Nov 19 12:47 foobar.pdf

That dash shows that there are no file flags set for the file foobar.pdf. Flags can be set using the chflags utility:

  > chflags sunlink foobar.pdf

> ls -lo foobar.pdf

-rwxrwxr-- 1 ren ren sunlnk 0 Nov 19 12:47 foobar.pdf

In the case of each flag, a flag that has been set can be cleared by attaching "no" to the beginning of the flag name:

  > chflags nosunlink foobar.pdf

> ls -lo foobar.pdf

-rwxrwxr-- 1 ren ren - 0 Nov 19 12:47 foobar.pdf

A set of octal values may be used to set and unset file flags, using numeric codes rather than longer names. The most useful of these is probably 0, which clears all file flag settings. The chflags manpage for FreeBSD provides a complete listing of the octal codes.

Normally, an article like this could point out a few cases where a given set of commands might be useful and direct the reader to the manpage for the relevant utility -- in this case, the chflags utility. In this case, however, the manpage is especially cryptic about what the various flags actually do. It says of them:

arch, archived

set the archived flag (super-user only)

opaque set the opaque flag (owner or super-user only)

nodump set the nodump flag (owner or super-user only)

sappnd, sappend

set the system append-only flag (super-user only)

schg, schange, simmutable

set the system immutable flag (super-user only)

sunlnk, sunlink

set the system undeletable flag (super-user only)

uappnd, uappend

set the user append-only flag (owner or super-user only)

uchg, uchange, uimmutable

set the user immutable flag (owner or super-user only)

uunlnk, uunlink

set the user undeletable flag (owner or super-user only)

The following explains in slightly more detail what each flag does:

  • archivedThe archived flag is not used by FreeBSD's standard UFS filesystem, and is only relevant to legacy filesystems.
  • opaqueThe opaque flag ensures that when unionfs is used to mount another directory over the top of the flagged directory, the contents of the flagged directory will not show.
  • nodumpThe nodump flag is of particular use for people using the standard dump utility to make backups of the system. If a particular file should not be backed up by the dump utility, setting the nodump flag will ensure that it is ignored by dump. Unfortunately, an additional step must be taken to get the dump command to completely honor the nodump flag: the -h option must be used with dump. This will see to it that the flagged file is omitted from incredmental dumps, but not from full dumps. To omit the file from even full dumps, use the -h 0 option with dump.
  • sappendThe sappend flag ensures that the flagged file cannot be truncated, and cannot be written to at any point other than at the end of the file. In other words, the only changes that are allowed for that file are changes that are appended to it. This applies to all users, including the root user, without taking the system to single-user mode or reducing the securelevel to 0 or less.
  • schangeThe schange flag makes a file "system immutable," so that nothing about the file can be altered at all, including metadata. Be very careful setting this flag; even root cannot remove this flag without either taking the system to single-user mode or reducing the securelevel to 0 or less, as with the sappend flag.
  • sunlinkThe sunlink flag prevents everyone, including the root user, from deleting (unlinking) the flagged file. This overrides any Unix filesystem permissions that otherwise might allow file deletion.
  • uappendThe uappend flag is similar to the sappend flag, but it can be set and unset by both the root user and the file's owner without limitation.
  • uchangeThe uchange flag makes a file "user immutable", just as the schange flag makes a file "system immutable". As with uappend, the "user" version of the "change" flag can be set or unset by both the root user and the file's owner without limitation.
  • uunlinkThe uunlink flag is similar to the sunlink flag, but it only prevents the user account that "owns" the file (and those with lesser permissions for the file) from deleting it. The root user account will not be prohibited from deleting the file, unless the root user is the owner of the file -- in which case the root user is then prevented from deleting the file.

Some use cases for FreeBSD servers are more suitable to use of file flags, and desktop systems are somewhat less than perfectly suitable to use of file flags. Because the X Window System and certain other pieces of software do not work properly at any securelevel greater than 0, it is unlikely that such systems would be run at a higher securelevel. Because at securelevel 0 and below the root user can change any file flags on the system, anyone who can achieve root level access to the system can change any file flags, thus circumventing the security value of those flags.

There are ways to work around this problem in some cases. For instance, the X Window System can be started, then the securelevel increased from 0 to 1, but if you must restart X for some reason you will then have to restart the system to get the securelevel back to 0.

Under the right circumstances, however, FreeBSD's file flags can provide a significant improvement to security, particularly for public-facing servers. For instance, it may be appropriate in some cases to run a Webserver at securelevel 1 and use the schange flag to protect static files that do not ever need to be altered to protect against alteration by malicious security crackers. In fact, in some cases, you may not need anything but your logfiles to be mutable on a public-facing server -- and there are even ways around that when logging to another system on the local network, sometimes.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

21 comments
AlexNagy
AlexNagy

I know you dislike X, but there are other servers out there. Gentoo moved to one of the alternates years ago (I forget at the moment which one in particular), completely dropping X, though you could still install it manually of course.

seanferd
seanferd

And it really is. Just adds to the number of reasons I'd choose a BSD if I were ever to run a server. Although it seems a bit disappointing that flags are not suited to a desktop install, I think, in my limited experience, that BSD is rather secure enough on the desktop without flags. Yet another excellent article. Even if just for those who might want to set flags, but aren't getting enough info from the man page.

apotheon
apotheon

What do you think of this article about FreeBSD file flags? Should I write a similar article about Linux file attributes, which serve a similar purpose?

apotheon
apotheon

As a friend of mine once put it, "The only thing worse than writing X Window System code is writing GUI code for Microsoft Windows." There are some definite issues with the way X has developed over the years, but I haven't really looked into the alternatives. They seem to fall well short of the kind of functionality that would be needed for widespread adoption, though there could easily be some niche uses for which an alternative might be quite well suited. I haven't touched Gentoo in quite a while, but I suspect it's using X.org, which is what most Linux distributions and BSD Unix systems are using now. There was a widespread move shortly after X.org forked from XFree86 over a licensing issue; the XFree86 project wanted to add additional nonsense to the license, and nobody much liked the idea, so XFree86 has increasingly become irrelevant to the community at large. If that's the Gentoo move you're talking about (since I'm pretty sure Gentoo made the same move at about the same time), it's still technically the X Window System. It's just a different implementation of X. Otherwise, I'm not sure what alternative you mean. I'll have to look into it when I find the time -- maybe after the Christmas weekend.

apotheon
apotheon

First, thanks for the kind words. Actually, one of the biggest reasons I wanted to write this article is to fill that gap in the documentation. I may look into submitting patches for the manpage at some point to address this problem, too, but I'd have to do more in-depth research for that than for this article. For the article, it just needs to be practical; for the manpage, it has to be comprehensive. What really boggles my mind, though, is the fact that even all the articles I could find on the Internet fail to provide as much information as I've provided. I had to learn this stuff from the overflowing library of books I have here. It's really a depressing state of affairs, and I hope others get some use from this article. Of course, another reason for writing this article is to raise awareness of the options for improving security -- but that's pretty much an assumable motivation for all my articles.

pgit
pgit

Can't improve on the accolades already heaped by seanferd, except to say there's always value in your writing, even if it's just that it makes me think. Thinking is good. Timing couldn't be better here because I just started the BSD learning curve this week, with an eventual eye towards servers. You just gave me a three week jump, setting securelevel to 1 and flagging only logs to be mutable... how clear can it get. I would encourage you to jump in and clarify the manuals on BSD and even Linux/Unix, you have an incredible talent for concise clarity. You'd be a boon to the world. ...if you can keep the lights on doing so. I would hope there's some value to be given in kind for the kind of talent you possess. And please do write anything that comes to mind about equivalent Linux security. Apply that skill set to the deep-down guts of the system where hardware and and the first layer of zeros and ones intermingle and become indistinguishable. This stuff fascinates the crap out of me and I suspect has more to do with ultimate security than anything clogging up vast swaths of user space upstairs. Man, Chad, I say again they should clone you and unleash the "clarity army" on every troublesome set of documents in this world, beginning with the mess radiating out of DC these days. I say Chad Perrin for Supreme Court... we'd only need one justice with you at the helm. PS: I widen doors on the side... =D

seanferd
seanferd

You can pack a lot of information, well organized, into short and easy to read articles. You would probably be a hit with sysadmins. Occasionally, I feel like re-writing documentation for things that I understand myself. If I ever do so, it would, hopefully, be more accessible than what is already extant. If you could actually get some compensation for your work, all the better. I find that your writing and thinking skills can make accessible to me concepts with which I have absolutely no experience or reference frame. These are not common skills, and TR has done well to retain you and some other writers here with similar skills. Happy holidays.

apotheon
apotheon

it makes me think. That, in my opinion, is the highest praise for my writing. Inspiring people (including myself) to think for themselves is I think the most important part of what I do. Thank you. Thinking is good. Hm. Understatement of the decades? Timing couldn't be better here because I just started the BSD learning curve this week Excellent! I'm glad the timing worked out for you. I would encourage you to jump in and clarify the manuals on BSD and even Linux/Unix, you have an incredible talent for concise clarity. Between you and seanferd, I definitely feel encouraged to go read about how to submit manpage patches to the FreeBSD project. ...if you can keep the lights on doing so. I won't be able to cut back on my paying work to do it. I'll just do it in all my copious free time. Let's see . . . I'll just do less . . . No, can't do less of that. Nor that. Nor that. Hmm. I'm running out of ideas. After hearing about that Korean gamer who died because his bladder burst, I don't think I'll give up using the restroom either. I guess I'll just have to give up some sleep, again. Well . . . it's for a good cause. And please do write anything that comes to mind about equivalent Linux security. I haven't found the time to read it yet (so I can't vouch for it), but I noticed there's an article about extended file attribute management in Linux over in TR's open source column. I'll have to see if that overlaps with what I was thinking of writing -- and you might want to give it a look if that's something that interests you. Apply that skill set to the deep-down guts of the system where hardware and and the first layer of zeros and ones intermingle and become indistinguishable. There are limits to my knowledge. I don't know that I could get into much depth with an article about things at the level of, say, assembly language rootkit development or "shellcode" exploits, since I haven't really dealt with that sort of thing much. I know some of the principles well enough to touch on such subjects with the 1000-foot view, but you're unlikely to see any assembly language, discussion of the specific CPU instruction sets of various architectures, or technical information about how to write hardware-targeting malware any time soon. Just so's ya know. I'll look for opportunities to share what I do know about the deep-down nitty gritty of the implementation level, and try to learn more in that direction, though. I've been meaning to refamiliarize myself with C and put that to good use lately, but I keep getting distracted with stuff that actually pays the bills right now. Expect to see me posting Ruby code (for examples of hopefully good practice) and maybe some PHP or something like that (for examples of bad security practice) at some point in 2010, though; I have some article ideas along those lines that have been percolating in the back of my brain for a while now. I suspect has more to do with ultimate security than anything clogging up vast swaths of user space upstairs. While there is definitely some key stuff at the level of OS implementation code, drivers, hardware interactions, and so on that is key to security in some areas, the real battle is (to misquote) for the hearts and minds of the users. Where they go, the implementers must perforce follow. This is why selection of verifiably more-secure software, practical use of strong encryption, and concern for privacy are recurring themes in my articles; because the general population of computer users really needs to be encouraged to pursue such ends to improve not only their own security, but that of those around them -- and to improve the quality of the software options available to them by putting pressure on implementers and vendors to adopt better security practices. I'm unlikely to be able to influence the vendors directly, but if I can help influence the users, they can influence the vendors through the agency of market forces, as long as the law still allows them any opportunity to do so. I say Chad Perrin for Supreme Court... we'd only need one justice with you at the helm. Okay, I stand corrected -- this may be the highest praise I've received for my writing. I'm flattered, and I think that (with some intensive study to steep me in greater knowledge of the law) I might be able to help out, but since I don't see a law degree in my future, nor the patience to deal with law firm and criminal justice system politics, I doubt that'll ever come to pass. I appreciate the endorsement, though! PS: I widen doors on the side... Can you widen them enough for my swelled head to fit through after all this praise?

apotheon
apotheon

The X Window System is distributed under the MIT/X11 license, which I rather like (for obvious reasons).

AlexNagy
AlexNagy

Didn't realize it died. Yeah, but so is nearly everything else. ):

apotheon
apotheon

Unfortunately, it's: 1. a dead project 2. GPLed

apotheon
apotheon

I appreciate all the kind words. I rather doubt I'd get any direct compensation for contributing to manpages for any open source operating systems, but that wouldn't stop me from contributing. I don't have one of those employers that pays employees to contribute to open source projects; I have to do it on my own time. My boss is a real jerk that way. Of course, I'm self-employed. TR has done well to retain you and some other writers here with similar skills. I hope the powers that be at TR read comments like this. Thank you. In any case, I'm pleased as punch that my writing helps people. The money for this sort of thing isn't enough in and of itself to pay for what we (many of the contributing writers) put into articles for TR; having the chance to help others out with what we write is a big part of the motivation for it, as is the fact we have a generally good relationship with the people at TR themselves.

pgit
pgit

I feel like a freeloader now, I've used probably hundreds of open source apps and never once given any a donation. So I resolve to throw some jing at a few of them in 2010, starting with OpenSSH, without which I can't imagine what I'd need a computer for. Scroogle is next, I set their scraper as the home page on every desktop I touch. I explain to users a few things about on line security, including why I encourage using scroogle. If they want a different home page they can change it. I'll keep my eyes open for solicitations for donations as I use things. There's a lot of free apps that have a supported (for a fee) version, I've been meaning to sign up with a few of these for years... never have. OpenDNS, dynDNS, Mandriva, MBAM and Advanced System Care come to mind. I'll tell 'em all Chad Perrin sent me. =)

apotheon
apotheon

Good luck with drumming up new business. . . . and keep the money, or give it to a good cause (like the OpenSSH project, or my former employer the Wikimedia Foundation).

pgit
pgit

But you'd have to lay bare an address in public, catch 22. =D I have done a bit of Linux migration too, in the SMBs this has resulted in less work over the long haul, Linux servers just run... But I have been moving a lot of desktop users into Linux as well, this will probably also result in fewer repeat work on a per client basis, but the word of mouth is spreading here as well and I seem to have a steady enough stream of folks asking me to set up at least dual boot. But you have lit a fire under my slacking butt, in the new year I'm going to prepare a 'pitch' to deliver to the happy SMB clients to solicit references. I've half heartedly asked in person, but I'm going to make a concerted effort to pick up new folks. I'll try put it across that if the existing clients want to insure that I'll be around at all to help them when needed then it's imperative I pick up more clients in the same vein. If I can put it across that they have seen less of me because the work I did keeps humming along reliably maybe they'll get the idea... I mean who wouldn't want a more reliable system? This is a smallish town, I know the people I have worked for have lots of contacts in local business. I'm pretty sure that if I word something right I'll end up with more of the desirable work. ...and I wouldn't loan you 5 bucks, I'd give you 20...

apotheon
apotheon

Yes, I have been taking on more individual support lately. It started by word of mouth (some great folks to work with) and took off like wild fire, I have more work than I can handle but it's not what I prefer to be doing. I can understand that. When I found myself doing a fair bit of that, I just fell into a routine and kinda lived with it for a while. It kept me fed and occupied, and when I got into a routine that kinda took care of itself I tolerated it well enough. . . . then I managed to slide into Linux migration, implementation, and support, and when the support side of that turned out to be a pretty dry well (nobody needed support once I got the systems running because everything "just worked), I slid sideways into Web development and some enterprise integration development (that's buzzwordese for "writing lots of glue code"). The Web development part of that ended up having a bit more sustainability for a while, but things seem to be kinda moving back the other way in the last few years, supplemented by writing more English. Anyway . . . good luck getting things moving more toward doing what you love. It sounds like you're doing well enough financially, though. Would you loan me five bucks?

pgit
pgit

^_^ Seriously, you hit the nail with this: "If you really like a particular client, try telling them so, and that you'll always have them on your list of top priorities if they want to send you more work -- but that you'd appreciate it if they'd also recommend you to other potentially good clients so you can stay in business." I just started doing that recently, all the preferred types love the work I've done, and I do get the occasional call for something else, lately more direct end user support. Yes, I have been taking on more individual support lately. It started by word of mouth (some great folks to work with) and took off like wild fire, I have more work than I can handle but it's not what I prefer to be doing.

apotheon
apotheon

I love the flattery. Seriously, I appreciate the outpouring of compliments. I just don't really have as good a handle on how to respond as I'd like, so I'll say "Thanks!" and address some stuff that has implications outside of that. I'd be grateful if they'd sweeten the pot to encourage you to write/post more. I'd like to write/post more, but I'm running up against the limit to how much I can write more with consistency without making some major changes to my life. To write substantially more on a consistent basis, the writing would pretty much have to be my full-time job, with other stuff as part-time "when I feel like it" work. My current writing schedule for TR is eight articles a month (expect two more here by the end of the month -- already written and submitted, but not scheduled for publication until Tuesday and Thursday next week, if I recall correctly), which is actually a fairly punishing writing speed when it's basically a labor of love (the pay as an outside contributor isn't a living rate by any stretch). Add to this the fact that I also write fiction, I'm trying to get my feet under me with a new security Weblog of my own, and I have a non-security just kind of rambly Weblog as well, and the end result is that TR writing is the only writing I do that is consistent, because I have to trade off time between the others since nobody's paying me in those cases. While I have sold the occasional article as a discrete, individual piece in the past, and been paid to write a little internal documentation from time to time, unless life gave me a sweet deal where I was getting paid real annual full-time salary or something like that to do nothing but write, I can't sacrifice enough of my life at this point to add enough additional writing to my output for people to notice the difference. I hate to say "no, not going to happen" to this, because I do like writing and I love the fact that people get some value from what I write. As long as I'm not getting paid enough to pay all the bills for the writing alone, though, I've reached the upper limit for how much time I can realistically spend writing (English, as opposed to code) each month. . . . and I know that TR has rules its people need to follow in terms of how much we get paid, so for now the answer looks like "no". That's largely my "fault" because the networks and servers I set up rarely fail... That's a good thing. Except in cases where you're dealing with an organization that finds it effectively impossible to "fire" someone (end a contract relationship, et cetera), such as certain government agencies, you're just as likely to get replaced by someone who does a better job if you do poorly enough to keep getting brought back to do more work as you are to get less work if you just do the job right in the first place. It's a choice between "Will they stop paying me if everything just keeps working?" and "Will they stop paying me if everything keeps breaking?" If you really like a particular client, try telling them so, and that you'll always have them on your list of top priorities if they want to send you more work -- but that you'd appreciate it if they'd also recommend you to other potentially good clients so you can stay in business. After all, during a down economy, if you can't afford to feed yourself doing the work you're doing they'll lose you as a resource anyway when you go get a job at McDonald's to pay the bills and don't have enough time to do one-off jobs for them any longer. You may not want to say all of that, but that's the theory behind turning good work into more clients. I'm sure you're aware of a lot of this stuff. Sometimes, there just isn't a whole lot of work out there. Things have been a little more dry for me lately, too. I spent 20 minutes calming down one fellow who was lost because his webmail and home page weren't in the IE history drop-down after a clean install. It sounds like you're doing individual user support on a consulting basis, if I'm reading the clues correctly. I've been meaning to write up a review and explanation of a malware detection tool or two that was a huge benefit to me back when I did a lot of that kind of work, five or six years ago -- tools that are still out there, and still just as useful, even if I rarely have use for them these days. I'll move that a little further up my list of article priorities and get that out there, since you might get some use out of it. It'll provide a slight change of pace from the kind of article I have been writing lately. But it's money. True. Look at the bright side, though: the Senate just passed its version of the healthcare bill, but at least the way it will increase work-related medical insurance costs substantially won't (I think) affect those of us who are independent consultants as much as it'll affect people whose salaries are directly affected by corporate insurance benefits. The unions are pissed about the version of the bill just passed by the Senate, of course. Hm. I strayed off topic a bit.

pgit
pgit

You have a down to earth, rock solid grasp on what you know and what you don't know, what you could call "situational awareness." Good situational awareness in an industry as wide as this is a difficult nut to crack. I feel like I'm swimming in a sea out of site of all but one little spit of land. (the network stack) I'm vaguely aware there's whole continents of programming languages, end use concepts, OS development etc, but don't have the outlines of those continents drawn clearly. Your perspective seems as if you have launched a satellite and at least have the entirety of the "world of IT" in eye shot. To wit: "There are limits to my knowledge. I don't know that I could get into much depth with an article about things at the level of, say, assembly language rootkit development or "shellcode" exploits, since I haven't really dealt with that sort of thing much. I know some of the principles well enough to touch on such subjects with the 1000-foot view,..." You know what you don't know. That's as good as knowing something in many ways. I second seanferd; Tech Republic would be well advised to see to it you stick around. (as well as other most helpful folk like Michael Kassner) I'd be grateful if they'd sweeten the pot to encourage you to write/post more. But I know what you mean about having to go where the money is. I've had to deal with some very dense people these last few weeks as the preferred work has been slow. That's largely my "fault" because the networks and servers I set up rarely fail... =) ~erg~ I spent 20 minutes calming down one fellow who was lost because his webmail and home page weren't in the IE history drop-down after a clean install. 1/2 the time was getting him to tell me what the sites were then finding them, the other 1/2 trying to get him to see that they were now in the history where he always accessed them from. But it's money.