2.6. File Flags (FF)

This model defines some access flags for files, fifos, symlinks and dirs. Currently, the following flags are supported:

Table 2-2. FF rights

FlagChecked forNotes
execute_onlyFILE, FIFO, SYMLINK 
search_onlyDIR 
read_onlyFILE, FIFO, SYMLINK, DIR 
write_onlyFILE, FIFO, SYMLINK 
secure_deleteFILEFile is blanked on delete and truncate (ext2, ext3, msdos/vfat, minix only)
no_executeFILE 
no_delete_or_renameFILE, FIFO, SYMLINK, DIRnew in 1.1.1, not inherited
append_onlyFILE, FIFO, SYMLINK new in 1.1.2, write accesses are limited to APPEND_OPEN and WRITE, read accesses are allowed
add_inheritedFILE, FIFO, SYMLINK, DIRnot inherited

These flags are checked on every access to the given target types. Only users in system_role security officer can change the flags.

The add_inherited flag is special: If set, the parent dir's flags are added (or'd) to the target's own flags. Inheritance is on by default.

Warning

The flags no_delete_or_rename and add_inherited cannot be inherited, they must always be set explicitely!

Please note that the attributes are independent from each other and restrictive: All attributes that are set are applied, e.g. execute_only and no_execute together (or read_only and write_only) lead to no access.

Flags that are only checked for some target types are ignored for the other ones. This can be used to set e.g. search_only and execute_only on a dir - you can SEARCH (not READ!) in the dir and EXECUTE files in it, but nothing else.

Example 2-1. Preventing a group of files against reading

Set write_only on a logging dir. All log files created in that dir inherit the write_only flag, thus the log can never be read unless the flag is removed

Example 2-2. Create a group of append-only files

Set append_only on a logging dir. All log files created in that dir inherit the append_only flag, thus the log can be read, but writing can only append to the file, unless the flag is removed. Add flag write_only, if the files should not be read either.

Example 2-3. Preventing execution of files from a directory

Set no_execute on /home. All executables below that dir inherit this flag, thus no user can execute files from her home directory, unless the flag is removed.

Example 2-4. Prevent moving of a directory

Set no_delete_or_rename on /home. User home dirs below can be added, removed and individually protected, but the parent dir /home cannot be moved or replaced to fake other home dirs for most users.

File Flags should be used, if you need global access settings which are valid for all users.