If you have some internal application developed to manage the
users and other stuff. However some admin still some time make changes
/etc/passwd or /etc/master.passwd via sudo. Then the idea of file write
protection comes. I suggested to use them chflags.
write protection can be set under Gnu/Linux and FreeBSD using the special bit call
immutable by root user only. Once this bit is setup no one can delete
or modify file including root. And only root can clear the File
immutable bit.
You must be a root user to setup or clear the immutable bit.
1. Setup file immutable bit
Use chflags command as follows:
#chflags schg /tmp/test.doc
Try to remove or moify file file with rm or vi:
# rm -f /tmp/test.doc
rm: /tmp/test.doc: Operation not permitted
Don’t
be supriesed even root is not allowed to remove or modify file. This is
useful to protect important file such as /etc/passwd,
/etc/master.passwd etc.
2. Display if file immutable bit is on or off:
ls -lo /tmp/test.doc
-rw-r–r– 1 root wheel schg 19 Jun 29 22:22 /tmp/test.doc
3. Clear or remove file immutable bit:
#chflags noschg /tmp/test.doc
Now
you can remove or modify file. Please note that immutable flag can be
set by root user only. chflags also supports few other interesting
flags.
arch: set the archived flag
nodump: set the nodump flag
sappnd: set the system append-only flag
schg: set the system immutable flag
sunlnk: set the system undeletable flag
uappnd: set the user append-only flag
uchg: set the user immutable flag
uunlnk: set the user undeletable flag
Putting the letters “no” before an option causes the flag to be turned off.
It is possible to do this in Gnu/Linux too using the chattr command. For more info on it do man chattr.
Also you can explore various Gnu/Linux options to view these attributes using the man ls and checking out the options