FreeBSD: How to write protect important file ( even root can NOT modify / delete file )

The chflags utility modifies the file flags of the listed files as specified by the flags operand.

FreeBSD offers write protection, you need to to set special bit call immutable. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit.

You must be a root user to setup or clear the immutable bit.

Setup file immutable bit

Use chflags command as follows:
# chflags schg /tmp/test.doc
Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc
Output:

rm: /tmp/test.doc: Operation not permitted

Now root user is not allowed to remove or modify file. This is useful to protect important file such as /etc/passwd, /etc/master.passwd etc.

Display if file immutable bit is on or off

ls -lo /tmp/test.doc
Output:

-rw-r--r--  1 root  wheel  schg 19 Jun 29 22:22 /tmp/test.doc

Clear or remove file immutable bit

#chflags noschg /tmp/test.doc
Now you can remove or modify file. Please note that immutable flag can be set by root user only. chflags also supports few other interesting flags.

arch: set the archived flag
nodump: set the nodump flag
sappnd: set the system append-only flag
schg: set the system immutable flag
sunlnk: set the system undeletable flag
uappnd: set the user append-only flag
uchg: set the user immutable flag
uunlnk: set the user undeletable flag

Putting the letters no before an option causes the flag to be turned off.

Please note Linux also supports immutable flag to write protect files using chattr command.

See man page chflags and ls commands for more information.

Featured Articles:

Share this with other sys admins!
Facebook it - Tweet it - Print it -

We're here to help you make the most of sysadmin work. So, subscribe!