This section shows how to add security-relevant attributes to ZFS files and how to display them.
For more information, review the following:
A user who is assigned the Object Access Management rights profile makes a file immutable by running the following command:
$ chmod S+ci file.1 $ echo this >>file.1 -bash: file.1: Not owner $ rm file.1 rm: cannot remove `file.1': Not owner
To display the permissions, the user runs the ls -l/c command:
$ ls -l/c file.1
-rw-r--r--+ 1 root root 206695 Jul 20 14:27 file.1
{A-----im----}
To make the file accessible again, the user runs the following command:
$ chmod S-ci file.1
$ ls -l/c file.1
-rw-r--r--+ 1 root root 206695 Jul 20 14:27 file.1
{A------m----}
Example 22 Making a ZFS File Read-Only
The following example shows how to apply read-only access to a ZFS file.
$ chmod S+cR file.2 $ echo this >>file.2 -bash: file.2: Not owner
The nounlink attribute complements the immutability of files or directories in ZFS by securing them from being accidentally removed. However, unlike the immutable attribute, nounlink only prevents a file from being deleted or renamed. The file can still be changed by applications or by users.
This behavior is useful for a broad set of files, for example, log files and datafiles from your database. One obvious requirement is that your application must not delete the files as a regular pattern of operation. The nounlink attribute would prevent the deletion.
Example 23 Protecting Files in a Directory From DeletionIn this example, an administrator who is assigned the Object Access Management rights profile and a pfbash login shell prevents the accidental deletion of important applications. With the nounlink attribute set on a directory, the file owners, the administrator, and even the root role must take extra steps to delete the files in that directory.
$ cd /apps/ADMIN
$ chmod S+vnounlink
$ chmod touch test2
$ chmod echo text >> test2
$ cat test2
text
$ rm test2
rm: test not removed: Not owner
$ chmod S-vnounlink test2
$ rm test2
$ ls test2
test2: No such file or directory
The owner can still update the files in the directory, and can still remove the file contents by accident. But, even as root, the files are undeletable without removing the nounlink attribute.
nounlink can make a single file undeletable:
$ cd /apps/ADMIN $ chmod S+vnounlink importantApp
You can display and set special attributes with the following syntax:
$ ls -l/v file.3
-r--r--r-- 1 root root 206695 Jul 20 14:59 file.3
{archive,nohidden,noreadonly,nosystem,noappendonly,nonodump,
noimmutable,av modified,noav_quarantined,nonounlink,nooffline,nosparse}
$ chmod S+cR file.3
$ ls -l/v file.3
-r--r--r-- 1 root root 206695 Jul 20 14:59 file.3
{archive,nohidden,readonly,nosystem,noappendonly,nonodump,noimmutable,
av_modified,noav_quarantined,nonounlink,nooffline,nosparse}
Some of these attributes apply only in an Oracle Solaris SMB environment.
You can clear all attributes on a file. For example:
$ chmod S-a file.3
$ ls -l/v file.3
-r--r--r-- 1 root root 206695 Jul 20 14:59 file.3
{noarchive,nohidden,noreadonly,nosystem,noappendonly,nonodump,
noimmutable,noav_modified,noav_quarantined,nonounlink,nooffline,nosparse}