File Directory Flags in macOS
Contents
File Directory Flags in macOS#
On macOS, there are some flags that can be assigned to files and directories which dictate their behaviour. In this blog post, we will explore what the available flags are, how they alter the behaviour of a file/directory and why cybersecurity professionals must know about them.
It’s demo time!#
Safeguarding the contents of a file#
Let’s work with the text file example.txt now. It has one line of text, as seen in the following screenshot.
Let us set the flag uappend on it, that only allows a user to append contents to the file. No line of text can be removed or overwritten. This flag is also referred to as uappnd.
We can see that the flag has been applied to the file successfully.
When we attempt to overwrite the contents of this file, we can see that the operation is not permitted. The command echo
behaves similar to its Linux version. Read this post for more information.
However, when we attempt to append contents to the file, we can see that it is successful.
Now the file has two lines of text.
Preventing any change to a file/directory#
Let’s assume a user has a file/directory that they do not wish to be modified at all. Then they can set the immutable flag on it. We will set this flag on sample/ directory. Before that, let’s confirm that it is possible to create new folders within sample/, when we right click anywhere in the directory.
Now the immutable flag has been set for sample/.
We can view the set flags for all the contents of test/ directory. This flag is also referred to with the names uchg and uchange, which is why we can see uchg in the screenshot below. Different names, but same meaning and behaviour.
In the GUI, notice how there is a small lock symbol in the left bottom corner of sample/ directory’s icon.
Within sample/, when we right click to add a new folder, we can see that the option is not presented in the dialog box that pops up.
Even from the terminal, it is not possible to create a new directory within sample/.
The flag can be removed with no prepended to the flag name, as shown below.
Now the lock symbol also disappears and sample/ can be used without any restrictions.
The same flag immutable can be applied to files to, to prevent any accidental modification.
Are there any other flags available?#
Yes, there are some more flags available on macOS.
There are variants of the immutable flag called by names like: schg, schange, simmutable that can only be set/unset by the super user. The flag variants we discussed above, can be set/unset by the file owner or the super user. Notice how the flags that can be used by the file owner start with u and flags that can be used only by the super user start with s.
There are similar variants of the append only flag that are only available to the super user. They are sappnd and sappend.
There are two other flags available to the file owner and super user: nodump and opaque that come in handy when
dump
command is used and when union mounts are used, respectively.
Why should cybersecurity professionals know about file/directory flags on macOS?#
Flags can be used to intricately modify the behaviour of specific files and directories on a system.
Penetration testers, red teamers or cyber adversaries may utilise these flags to modify the expected behaviour of a file or directory.
Consequently, digital forensic analysts can study the flags set on a file/directory to uncover information about unexpected behaviour.