There’s a common misconception, the book I’m reading now suffers from it, that single-user mode on a unix such as mac os x gives you root access. Actually, it grants you higher access than root. For example, set the immutable flag on a file (schg I think, but my iPhone doesn’t have man). Root can’t remove the flag, but the single user can.
OOP the Easy Way
Object-Oriented Programming the Easy Way: a manifesto for reclaiming OOP from three decades of confusion and needless complexity.APPropriate Behaviour
APPosite Concerns
FSF
Am I misunderstanding what you’re saying about flags, or does Darwin differ from FreeBSD with this?
[djm@sif ~]$ touch test_file
[djm@sif ~]$ sudo chflags schg test_file
[djm@sif ~]$ ls -lo test_file
-rw-r–r– 1 djm djm schg 0 2 May 19:56 test_file
[djm@sif ~]$ rm test_file
override rw-r–r– djm/djm schg for test_file? y
rm: test_file: Operation not permitted
[djm@sif ~]$ sudo rm test_file
override rw-r–r– djm/djm schg for test_file? y
rm: test_file: Operation not permitted
[djm@sif ~]$ sudo chflags noschg test_file
[djm@sif ~]$ ls -lo test_file
-rw-r–r– 1 djm djm – 0 2 May 19:56 test_file
[djm@sif ~]$ rm test_file
[djm@sif ~]$
That’s not how Darwin works, and I think Darwin has it correct. Those flags should be MACs.
Ah-ha!
It seems that this depends on kern.securelevel, which is set to -1 by default on FreeBSD.
According to the security(7) manpage on FreeBSD, you should be able to get rid of the flag when kern.securelevel is -1 or 0, but not when it’s 1+ (and the actual behaviour matches this).
I’ve been told that on OS X it’s set to 0 by default, so I’m not sure what’s going on there…