Project69.Delete Immutable Files

Project 69. Delete Immutable Files

"Why can't I delete a particular file, even as the root user?"

This project gives some tips on how you might delete a file that appears to be indestructible, and covers the chflags command. It explains permissions in terms of the Unix flags, which supplement the normal permissions covered in Projects 7 and 8.

Learn More

Refer to Project 8 to learn about Unix permissions and Project 7 to learn about users and groups.

Immutable Files

You're probably familiar with the concepts of Unix users, groups, and permissions, but you're less likely to have encountered Unix flags: settings that can give files special attributes. Flag attributes include immutable, which prevents deleting or changing a file in any way, and append only, which allows content to be added to a file but forbids changing information that the file already contains. Each of these attributes comes in two flavors: user level and system level. User-level attributes govern how normal users may access the file; system-level attributes apply to the root user too.

To switch attribute flags on and off, use the chflags command. (Read the man page for chflags to see a list of all the supported flags.) Let's look at an example in which we lock a file so that it cannot be written to or deleted by any user other than root.

As an example, create the file immutable, and set the user immutable (uchg) flag.

$ touch immutable $ chflags uchg immutable

To see which flags are set on a file, use the ls command with options -o and the usual -l. You'll notice the text uchg just after the file owner and associated group saruman.

$ ls -ol immutable -rw-r--r-- 1 saruman saruman uchg 0 Aug 13 12:36 immutable

Despite the owner's having write permission for the file immutable, it cannot be written to or deleted, by the owner or by any user other than root. Let's attempt to write to the file and remove it.

$ echo "Change me" >> change -bash: change: Operation not permitted $ rm immutable override rw-r--r-- saruman/saruman uchg for immutable? y rm: immutable: Operation not permitted

Note

The Finder uses the user immutable flag when it locks a file. Setting and unsetting the flag is the same as checking and unchecking the Locked box in the Finder's Get Info window.

Attempting to edit the file with a text editor such as nano will also fail.

To unset the immutable flag, use chflags, but add no to the name of the flag we previously set.

$ chflags nouchg immutable $ ls -lo immutable -rw-r--r-- 1 saruman saruman - 0 Aug 13 12:36 immutable

Tip

The append flag allows a file to be extended by adding text to the end of the file but not changing it in any other way. Because of the way most applications open and write to a file, append behaves just like immutable. You'll find, however, that append works well when applied to log files (Projects 41 and 42).

We may now change the file and delete it.

$ echo "Change me" >> immutable $ rm immutable

The undeletable flag (uunlnk) is not supported by the HFS+ file system used by Mac OS X.

$ chflags uunlnk delete chflags: invalid flag: uunlnk

System Immutable

Here's an example in which we set the system immutable flag.

Warning

BE WARNEDread the whole of this section before deciding to try out the example.

Let's create a file called sys-immutable and set the system immutable flag by using the chflags command. Only the root user may set system flags, so we issue chflags from the sudo command.

$ touch sys-immutable $ sudo chflags schg sys-immutable Password: $ ls -ol sys-immutable -rw-r--r-- 1 saruman saruman schg 0 13 Aug 11:06 sys-immutable

As you might expect, we cannot delete the file, even as the root user.

$ sudo rm sys-immutable override rw-r--r-- saruman/saruman schg for sys-immutable? y rm: sys-immutable: Operation not permitted

To remove it, we must first unset the system immutable flag.

$ sudo chflags noschg sys-immutable chflags: schange: Operation not permitted

This is not what we intended to happen. Even the root user is not allowed to unset the system immutable flagor, therefore, to change or delete the file. Ever!

Here's why: When your Mac is running in multi-user mode (the normal operating mode; multiple users can share the system simultaneously), it's operating at run level 1. There are some operations that even root is not permitted to do at run level 1, such as turn off the system flags. The only way to achieve this is to run at run level 0, and the only way to run at level 0 is to operate in what's termed single-user mode.

Boot into Single-User Mode

To enter single-user mode, reboot your Mac, and hold down the Command-s key combination as it starts up. Keep the combination held down until you see a dark screen with scrolling white text. When the text stops scrolling, you'll have a root shell and will be running a minimal system. The root user in single-user mode (run level 0) is even more all-powerful than the root user in multi-user mode (run level 1).

Follow these instructions to unset the system immutable flag.

First, mount the file system as writeable (it's currently mounted as read only) by typing

$ mount -uw /

Next, change to the appropriate directory, and issue the chflags command.

$ cd /Users/saruman/... $ chflags noschg sys-immutable

Finally, reboot by typing

$ reboot

When running normally again, you should be able to delete the file by typing

$ rm sys-immutable

Tip

If you have a file whose name contains odd characters that you cannot type, rename it by typing the first part of the filename and using tabbed completion to complete the filename. $ mv cafe<Tab> $ mv cafe\314\201 cafe In situations where the typeable portion of the filename is not unique, discover the file's i-node with ls and option -i. $ ls -i caf* 1073337 caf?? 1073329 caf??? Then use a command such as $ find . -inum 1073337 ¬ -maxdepth 1 -exec ¬ mv {} cafe \; to rename it.