Rootier than root

There’s a common misconception, the book I’m reading now suffers from it, that single-user mode on a unix such as mac os x gives you root access. Actually, it grants you higher access than root. For example, set the immutable flag on a file (schg I think, but my iPhone doesn’t have man). Root can’t remove the flag, but the single user can.

This entry was posted in darwin, security, UNIX. Bookmark the permalink.

3 Responses to Rootier than root

  1. djm says:

    Am I misunderstanding what you’re saying about flags, or does Darwin differ from FreeBSD with this?

    [djm@sif ~]$ touch test_file
    [djm@sif ~]$ sudo chflags schg test_file
    [djm@sif ~]$ ls -lo test_file
    -rw-r–r– 1 djm djm schg 0 2 May 19:56 test_file
    [djm@sif ~]$ rm test_file
    override rw-r–r– djm/djm schg for test_file? y
    rm: test_file: Operation not permitted
    [djm@sif ~]$ sudo rm test_file
    override rw-r–r– djm/djm schg for test_file? y
    rm: test_file: Operation not permitted
    [djm@sif ~]$ sudo chflags noschg test_file
    [djm@sif ~]$ ls -lo test_file
    -rw-r–r– 1 djm djm – 0 2 May 19:56 test_file
    [djm@sif ~]$ rm test_file
    [djm@sif ~]$

  2. Graham Lee says:

    That’s not how Darwin works, and I think Darwin has it correct. Those flags should be MACs.

  3. djm says:

    Ah-ha!

    It seems that this depends on kern.securelevel, which is set to -1 by default on FreeBSD.

    According to the security(7) manpage on FreeBSD, you should be able to get rid of the flag when kern.securelevel is -1 or 0, but not when it’s 1+ (and the actual behaviour matches this).

    I’ve been told that on OS X it’s set to 0 by default, so I’m not sure what’s going on there…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.