Structure and Interpretation of Computer Programmers

I make it easier and faster for you to write high-quality software.

Saturday, May 2, 2009

Rootier than root

There’s a common misconception, the book I’m reading now suffers from it, that single-user mode on a unix such as mac os x gives you root access. Actually, it grants you higher access than root. For example, set the immutable flag on a file (schg I think, but my iPhone doesn’t have man). Root can’t remove the flag, but the single user can.

posted by Graham Lee at 13:36  

3 Comments »

  1. Am I misunderstanding what you’re saying about flags, or does Darwin differ from FreeBSD with this?

    [djm@sif ~]$ touch test_file
    [djm@sif ~]$ sudo chflags schg test_file
    [djm@sif ~]$ ls -lo test_file
    -rw-r–r– 1 djm djm schg 0 2 May 19:56 test_file
    [djm@sif ~]$ rm test_file
    override rw-r–r– djm/djm schg for test_file? y
    rm: test_file: Operation not permitted
    [djm@sif ~]$ sudo rm test_file
    override rw-r–r– djm/djm schg for test_file? y
    rm: test_file: Operation not permitted
    [djm@sif ~]$ sudo chflags noschg test_file
    [djm@sif ~]$ ls -lo test_file
    -rw-r–r– 1 djm djm – 0 2 May 19:56 test_file
    [djm@sif ~]$ rm test_file
    [djm@sif ~]$

    Comment by djm — 2009-05-02 @ 20:02

  2. That’s not how Darwin works, and I think Darwin has it correct. Those flags should be MACs.

    Comment by Graham Lee — 2009-05-03 @ 08:52

  3. Ah-ha!

    It seems that this depends on kern.securelevel, which is set to -1 by default on FreeBSD.

    According to the security(7) manpage on FreeBSD, you should be able to get rid of the flag when kern.securelevel is -1 or 0, but not when it’s 1+ (and the actual behaviour matches this).

    I’ve been told that on OS X it’s set to 0 by default, so I’m not sure what’s going on there…

    Comment by djm — 2009-05-11 @ 01:06

RSS feed for comments on this post. TrackBack URI

Leave a comment

Powered by WordPress