> ... the superuser can set or clear [immutable/append-only attributes].
With a Linux kernel, you can prevent clearing these flags by dropping CAP_LINUX_IMMUTABLE from the Capability Bounding Set by doing:
echo 0xFFFEFFFF ?> /proc/sys/kernel/cap-boundAnd, to make the Linux kernel more secure then the similar OpenBSD setup, you can also drop CAP_SYS_MODULE and CAP_SYS_RAWIO (and similar capabilities). For a good description, see "Fun with the capability bounding set" at
Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds