In the recent days, i published blog entries about the filesystem system attributes sensitive and nounlink. But there are some more. Alan Coopersmith pointed to the the man page sysattr that explains these system attributes in a fediverse post. This man page is available in Solaris 11.4 since SRU 45. I would like to demonstrate some of the system attributes mentioned in the man page.
appendonly
The first one is appendonly. Append only just allows you to add things to a file, but to modify already written content. However, nothing prevents you from substituing the file with a new one. So, you should combine this attribute with nounlink
root@testbed:~/tests# echo ThisIsATest > file_appendonly
root@testbed:~/tests# chmod S+vappendonly file_appendonly
root@testbed:~/tests# echo ThisIsATest >> file_appendonly
root@testbed:~/tests# echo ThisIsATest > file_appendonly
-bash: file_appendonly: Insufficient privileges
root@testbed:~/tests# chmod S-vappendonly file_appendonly
root@testbed:~/tests# echo ThisIsATest > file_appendonlyimmutable
The second one is immutable. When this attribute is set, you can´t append to the file or overwrite it. You can´t delete it. And no, this isn’t about the retention feature. This will be a different blog entry.
root@testbed:~/tests# echo ThisIsATest > file_immutable
root@testbed:~/tests# chmod S+vimmutable file_immutable
root@testbed:~/tests# echo ThisIsATest > file_immutable
-bash: file_immutable: Insufficient privileges
root@testbed:~/tests# echo ThisIsATest >> file_immutable
-bash: file_immutable: Insufficient privileges
root@testbed:~/tests# rm file_immutable
rm: file_immutable: override protection 644 (yes/no)? yes
rm: file_immutable not removed: Insufficient privileges
root@testbed:~/tests# chmod S-vimmutable file_immutable
root@testbed:~/tests# echo ThisIsATest >> file_immutable
root@testbed:~/tests# echo ThisIsATest > file_immutableYou can only change the access time and the immutable attribute itself, but the last one only with proper privileges.
av_modified
The next one is av_modified. It’s used by the feature that integrates a virus scanner into Solaris. In my example i simulate it by removing the av_modified attribute. As soon as change the file, the flag reappears, so a virus scanner knows it should rescan the file.
root@testbed:~/tests# echo ThisIsATest > file_avmodified
root@testbed:~/tests# ls -/V file_avmodified
-rw-r--r-- 1 root root 12 Apr. 15 08:58 file_avmodified
{archive,av_modified}
root@testbed:~/tests# chmod S-vav_modified file_avmodified
root@testbed:~/tests# ls -/V file_avmodified
-rw-r--r-- 1 root root 12 Apr. 15 08:58 file_avmodified
{archive}
root@testbed:~/tests# echo ThisIsATest >> file_avmodified
root@testbed:~/tests# ls -/V file_avmodified
-rw-r--r-- 1 root root 24 Apr. 15 09:00 file_avmodified
{archive,av_modified}archive
archive is similar, but is meant to be used by backup tools.
root@testbed:~/tests# echo ThisIsATest > file_archive
root@testbed:~/tests# ls -/V file_archive
-rw-r--r-- 1 root root 12 Apr. 15 09:02 file_archive
{archive,av_modified}
root@testbed:~/tests# chmod S-varchive file_archive
root@testbed:~/tests# ls -/V file_archive
-rw-r--r-- 1 root root 12 Apr. 15 09:02 file_archive
{av_modified}
root@testbed:~/tests# echo ThisIsATest >> file_archive
root@testbed:~/tests# ls -/V file_archive
-rw-r--r-- 1 root root 24 Apr. 15 09:03 file_archive
{archive,av_modified}av_quarantined
The attribute av_quarantined is an interesting one. When set, it prevents you from reading the file and from renaming it.
root@testbed:~/tests# echo ThisIsATest > file_avquarantined
root@testbed:~/tests# chmod S+vav_quarantined file_avquarantined
oot@testbed:~/tests# ls -/V file_avquarantined
-rw-r--r-- 1 root root 12 Apr. 15 09:05 file_avquarantined
{archive,av_modified,av_quarantined}
root@testbed:~/tests# cat file_avquarantined
cat: cannot open file_avquarantined: Permission denied
root@testbed:~/tests# mv file_avquarantined newfile_avquarantined
mv: cannot rename file_avquarantined to newfile_avquarantined: Permission denied
root@testbed:~/tests# chmod S-vav_quarantined file_avquarantined
root@testbed:~/tests# cat file_avquarantined
ThisIsATestHowever it allows you to write into this file. It’s essentially a write only file.
root@testbed:~/tests# chmod S+vav_quarantined file_avquarantined
root@testbed:~/tests# echo Thisisatest >> file_avquarantined
root@testbed:~/tests# cat file_avquarantined
cat: cannot open file_avquarantined: Permission denied
root@testbed:~/tests# chmod S-vav_quarantined file_avquarantined
root@testbed:~/tests# cat file_avquarantined
ThisIsATest
ThisisatestDelegation
You can delegate the privililege to a user. The PRIV_FILE_FLAG_SET privilege is required to set an attribute. All privileges are required to clear it.
I will use a file created by this user.
junior@testbed:~$ echo "thisisatest" > test
junior@testbed:~$ ls -l test
-rw-r--r-- 1 junior staff 12 Apr. 15 18:21 testDespite being the owner of the, the user can`t set the attribute.
junior@testbed:~$ chmod S+vappendonly test
chmod: ERROR: cannot set the following attributes on test: not privileged
{appendonly}You have to give the user junior an additional privilege.
root@testbed:~/tests# usermod -K defaultpriv=basic,file_flag_set junior
UX: usermod: junior is currently logged in, some changes may not take effect until next login.After the next login the user will have this privilege.
junior@testbed:~$ ppriv $$
6080: -bash
flags = <none>
E: basic,file_flag_set
I: basic,file_flag_set
P: basic,file_flag_set
L: allNow the user can set this attribute
junior@testbed:~$ chmod S+vappendonly testHowever, despite being owner of the file, the user can´t remove it as the user would need all privileges to do so.
junior@testbed:~$ chmod S-vappendonly test
chmod: ERROR: cannot set the following attributes on test: not privileged
{noappendonly}Closing
As with the last blog entry, i’ve used the root user to show that this limitations are even in effect for a privileged user.
Some additional notes:
- A number of tools in Solaris support those extended attributes. The man page sysattr explains the options you have to use to enable the tools to work with this attributes.
- I will never be not puzzled about using
/as an option ….
