Go to main content

Securing Files and Verifying File Integrity in Oracle® Solaris 11.4

Exit Print View

Updated: August 2018
 
 

Applying Special Attributes to ZFS Files

This section shows how to apply special attributes to ZFS files and how to display them. For more information about displaying and applying special attributes, see the ls(1) and chmod(1) man pages.


Note -  If you are working in a non-global zone, you cannot set the immutable, nounlink, or appendonly attributes by default. You must add the privilege file_flag_set to the zone to enable setting these attributes.

Applying Immutability to a ZFS File

Use the following syntax to make a file immutable:

$ chmod S+ci file.1
$ echo this >>file.1
-bash: file.1: Not owner
$ rm file.1
rm: cannot remove `file.1': Not owner

You can display special attributes on ZFS files by using the following syntax:

$ ls -l/c file.1
-rw-r--r--+  1 root     root      206695 Jul 20 14:27 file.1
{A-----im----}

Use the following syntax to remove file immutability:

$ chmod S-ci file.1
$ ls -l/c file.1
-rw-r--r--+  1 root     root      206695 Jul 20 14:27 file.1
{A------m----}
$ rm file.1

Preventing Accidental Deletions With the nounlink Attribute

The nounlink attribute complements the immutability of files or directories in ZFS by securing them from being accidentally removed. However, unlike the immutable attribute, nounlink only prevents a file from being deleted or renamed. The file can still be changed by applications or by users.

For some examples, see the following blog entry.

Applying Read-Only Access to a ZFS File

The following example shows how to apply read-only access to a ZFS file.

$ chmod S+cR file.2
$ echo this >>file.2
-bash: file.2: Not owner

Displaying and Changing ZFS File Attributes

You can display and set special attributes with the following syntax:

$ ls -l/v file.3
-r--r--r--   1 root     root      206695 Jul 20 14:59 file.3
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,
noimmutable,av modified,noav_quarantined,nonounlink,nooffline,nosparse}
$ chmod S+cR file.3
$ ls -l/v file.3
-r--r--r--   1 root     root      206695 Jul 20 14:59 file.3
{archive,nohidden,readonly,nosystem,noappendonly,nonodump,noimmutable,
av_modified,noav_quarantined,nonounlink,nooffline,nosparse}

Some of these attributes apply only in an Oracle Solaris SMB environment.

You can clear all attributes on a file. For example:

$ chmod S-a file.3
$ ls -l/v file.3
-r--r--r--   1 root     root      206695 Jul 20 14:59 file.3
{noarchive,nohidden,noreadonly,nosystem,noappendonly,nonodump,
noimmutable,noav_modified,noav_quarantined,nonounlink,nooffline,nosparse}