Date: Fri, 26 May 1995 11:53:55 UTC+0200 From: Javier Martin Rueda <jmrueda@diatel.upm.es> To: questions@FreeBSD.org Subject: Which files should have append-only and immutable flags? Message-ID: <706*/S=jmrueda/OU=diatel/O=upm/PRMD=iris/ADMD=mensatex/C=es/@MHS>
next in thread | raw e-mail | index | archive | help
I've been experimenting a little bit with the chflags command, and I was wondering if there exists any recommendation about which files should have the system append-only and system immutable flags on? After a quick thinking, it seems that probably the following directories and all the files inside should be immutable, as they are not supposed to change in the operating system's lifetime: /sbin, /usr/sbin, /bin, /usr/bin, /usr/lib, /usr/X11R6/bin, /usr/X11R6/lib The files in the following directories should be immutable, but the directory should not, as new files can be added. The directory may be append-only: /usr/local/bin, /usr/local/lib Several configuration files that are not supposed to change should be immutable, such as: /etc/rc, /etc/services, /etc/protocols... And it would be interesting that some log files were append-only, such as: /var/log/messages, /var/log/wtmp... However, with the latter files, there's the problem that you cannot rename them, compress them, or delete them so that you cannot rotate the logs while multiuser. Of course, for all this to work, the system security level should be 1 or 2. Does anybody use flags, and can give some advise about their use? PD: by the way, if a normal user tries to set a system flag in one of his files, he doesn't succeed, but he gets no error either. Is that supposed to be ok? I think that "operation not permitted" should be returned.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?706*/S=jmrueda/OU=diatel/O=upm/PRMD=iris/ADMD=mensatex/C=es/>