# schg flag



## balanga (Jul 28, 2018)

I don't really know much about file flags but I know I can't delete a file which has an schg flag, unless I remove that flag... but how?

chflags() sounds like the cmd to use, but which option?

And how do I find all the files on my system which have this flag set?


----------



## obsigna (Jul 28, 2018)

https://www.google.com/search?q=how+to+remove+schg+flags+from+a+file


----------



## ShelLuser (Jul 28, 2018)

Actually, the chflags(8) shows you exactly what to do:


```
schg, schange, simmutable
                       set the system immutable flag (super-user only)

<cut>

     Putting the letters "no" before or removing the letters "no" from a
     keyword causes the flag to be cleared.  For example:

           nouchg  clear the user immutable flag (owner or super-user only)
```
So you need to set the noschg flag on it: `# chflags noschg <filename>`.

However, be aware of: kern.securelevel, this is actually one of my favorite FreeBSD security aspects. Check with sysctl, if this has a value of 1 or higher then you can forget about removing any schg flags because the system will deny you from doing so.

To find all files which have such flags simply use find(1), use the -flags parameter.


----------



## blind0ne (Oct 26, 2021)

ShelLuser said:


> Actually, the chflags(8) shows you exactly what to do:
> 
> 
> ```
> ...


What if
# sysctl kern.securelevel
kern.securelevel: -1

do I need to worry?


----------



## SirDice (Oct 26, 2021)

blind0ne said:


> do I need to worry?


No, that just means the security levels have been turned off. Which is the default.


```
The kernel runs with five different security levels.  Any super-user
     process can raise the level, but no process can lower it.  The security
     levels are:

     -1    Permanently insecure mode - always run the system in insecure mode.
           This is the default initial value.

     0     Insecure mode - immutable and append-only flags may be turned off.
           All devices may be read or written subject to their permissions.

     1     Secure mode - the system immutable and system append-only flags may
           not be turned off; disks for mounted file systems, /dev/mem and
           /dev/kmem may not be opened for writing; /dev/io (if your platform
           has it) may not be opened at all; kernel modules (see kld(4)) may
           not be loaded or unloaded.  The kernel debugger may not be entered
           using the debug.kdb.enter sysctl.  A panic or trap cannot be forced
           using the debug.kdb.panic, debug.kdb.panic_str and other sysctl's.

     2     Highly secure mode - same as secure mode, plus disks may not be
           opened for writing (except by mount(2)) whether mounted or not.
           This level precludes tampering with file systems by unmounting
           them, but also inhibits running newfs(8) while the system is multi-
           user.

           In addition, kernel time changes are restricted to less than or
           equal to one second.  Attempts to change the time by more than this
           will log the message “Time adjustment clamped to +1 second”.

     3     Network secure mode - same as highly secure mode, plus IP packet
           filter rules (see ipfw(8), ipfirewall(4) and pfctl(8)) cannot be
           changed and dummynet(4) or pf(4) configuration cannot be adjusted.
```
See security(7).


----------

