Linux has file-flags too [LWN.net]

Linux has file-flags too

Posted May 6, 2004 12:45 UTC (Thu) by eru (subscriber, #2753)
In reply to: Linux has file-flags too by kleptog
Parent article: OpenBSD 3.5: a peek at another free Unix

The point was not just having file flags (or file attributes) but their interaction with the securelevels. From Linux "man chattr" (on RH 7.3):

A file with the `i' attribute cannot be modified: it cannot be deleted or renamed, no link can be created to this file and no data can be written to the file. Only the superuser can set or clear this attribute.

So a cracker who acquires root privileges can change it. On OpenBSD (and FreeBSD) to "lock down" critical files, you set the immutable flag and then raise the securelevel. After this not even the root can change the file without a reboot. A feature I would like to see in Linux as well.

(Log in to post comments)

Linux has file-flags too

Posted May 6, 2004 17:03 UTC (Thu) by gte223j (guest, #6492) [Link]

you said

"After this not even the root can change the file without a reboot."

all you have to do is go to run level 1 (single user console mode) to change the imuutable flags and file(s), in linux you just have to be root to run chattr.

Linux has file-flags too

Posted May 6, 2004 17:17 UTC (Thu) by jstrand1@rochester.rr.com (guest, #6394) [Link]

"all you have to do is go to run level 1 (single user console mode) to change the imuutable flags and file(s), in linux you just have to be root to run chattr."

This (IMO) downplays the added security. Openbsd requires physical access to use the machine in console mode-- in linux, root remote access is enough.

Linux has file-flags too

Posted May 6, 2004 19:32 UTC (Thu) by flewellyn (subscriber, #5047) [Link]

"Openbsd requires physical access to use the machine in console mode-- in linux, root remote access is enough."

This is true, except that with at least some versions of login, you can use the file /etc/securetty to specify which terminals root is allowed to log in from. And you can restrict ssh so that it does not allow root access from anywhere. This can help reduce the vectors for getting a root login. It won't help with privilege escalation bugs, but there are at least some measures in place.

Linux has file-flags too

Posted May 8, 2004 6:34 UTC (Sat) by tzafrir (subscriber, #11501) [Link]

So if a problem is discovered in one of the binaries in /bin the only way to update it is by rebooting?

Linux has file-flags too

Posted May 9, 2004 22:13 UTC (Sun) by sweikart (guest, #4276) [Link]

> ... the superuser can set or clear [immutable/append-only attributes].

With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:

  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound

And, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at

  http://lwn.net/1999/1202/kernel.php3

Linux has file-flags too

Posted May 9, 2004 22:28 UTC (Sun) by sweikart (guest, #4276) [Link]

> With a Linux kernel, you can prevent clearing these flags by
> dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set
> by doing:
>
>  echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-bound

Oops, I copied this line of code from the LWN article, and forgot to change it to drop CAP_LINUX_IMMUTABLE (the example above drops CAP_SYS_MODULE). To drop CAP_LINUX_IMMUTABLE, do

  echo 0xFFFFFDFF ?> /proc/sys/kernel/cap-bound