Saturday, May 02, 2009

Rootier than root

There's a common misconception, the book I'm reading now suffers from it, that single-user mode on a unix such as mac os x gives you root access. Actually, it grants you higher access than root. For example, set the immutable flag on a file (schg I think, but my iPhone doesn't have man). Root can't remove the flag, but the single user can.

3 comments:

djm said...

Am I misunderstanding what you're saying about flags, or does Darwin differ from FreeBSD with this?

[djm@sif ~]$ touch test_file
[djm@sif ~]$ sudo chflags schg test_file
[djm@sif ~]$ ls -lo test_file
-rw-r--r-- 1 djm djm schg 0 2 May 19:56 test_file
[djm@sif ~]$ rm test_file
override rw-r--r-- djm/djm schg for test_file? y
rm: test_file: Operation not permitted
[djm@sif ~]$ sudo rm test_file
override rw-r--r-- djm/djm schg for test_file? y
rm: test_file: Operation not permitted
[djm@sif ~]$ sudo chflags noschg test_file
[djm@sif ~]$ ls -lo test_file
-rw-r--r-- 1 djm djm - 0 2 May 19:56 test_file
[djm@sif ~]$ rm test_file
[djm@sif ~]$

Graham Lee said...

That's not how Darwin works, and I think Darwin has it correct. Those flags should be MACs.

djm said...

Ah-ha!

It seems that this depends on kern.securelevel, which is set to -1 by default on FreeBSD.

According to the security(7) manpage on FreeBSD, you should be able to get rid of the flag when kern.securelevel is -1 or 0, but not when it's 1+ (and the actual behaviour matches this).

I've been told that on OS X it's set to 0 by default, so I'm not sure what's going on there...