I'm working on a security agent. Wherein I do not want to allow any user/admin/root to delete my security agent application normally.
If user/admin/root try to delete the .app file then OS should show password dialog. If user knows the password then only it should be deleted.
Any pointer on this would be helpful.
Best Answer
Disclaimer
This answer is not intended as security advice for regular users. Setting your Mac's securelevel to 1 could potentially cause certain software or hardware drivers to malfunction, so I advise doing your own due diligence and independent research and testing to determine whether there could be any undesirable consequences to performing these steps.
Section 5.4.2 of the below-linked article about BSD's features related to security restrictions on the super-user is a good place to start. http://docstore.mik.ua/orelly/other/puis3rd/0596003234_puis3-chp-5-sect-4.html
In case that link breaks in the future, the most important section of the article lists the effects of setting
kern.securelevel=1:TLDR: setting
kern.securelevel=1could have more consequences than what's described in the below steps. Be careful.That said, I have tested out these steps on a regular iMac with OS X 10.10.2 and did not notice any problems as a result. In the past,
securelevel 1was the default setting for OS X, and manpages in OS X 10.10 still indirectly indicate that1is the default setting (they say you must reboot in single user mode to remove schg, which requiressecurelevel 0).However, in reality,
securelevel 0has been the default setting since OS X 10.5. When the online community learned that Apple quietly changed the default to 0, some sysadmins on Apple Discussions threads called it "unconscionable" of Apple to do this. I've also found some security guides online that say settingkern.securelevel=1is an important step to take for securing your Mac. YMMV.Answer Summary
As long as you set a firmware password on a Mac, you can make any file on that Mac unable to be deleted by anyone, just by using this simple Terminal command:
Next make sure your Mac will always boot to securelevel 1 by doing:
Once in vi editor, type
ito enter insert mode, then typekern.securelevel=1. Next hit enter, then colon, then typewqand hit enter.Lastly in Terminal type:
Now that securelevel is 1 and the
schgflag is set, the file cannot be deleted unless the system is rebooted into single user mode.If a firmware password has been set, you need that password to get into single user mode. Further you need it to get into target disk mode or change the startup disk.
With the schg flag set, even root cannot delete the file. Nobody can modify it from the Finder or Terminal. It will appear locked in the Finder, but the locked checkbox will always remain grayed out, no matter what, even with an admin password. In the Terminal,
sudo rm /path/to/filewill now fail, saying "Operation not permitted". Also,sudo SetFile -a l /path/to/filewill fail with, "ERROR: Unexpected error. (-5000)". :DTo delete this file, someone will need to use the firmware password to reboot into single user mode, then unset the schg flag using this command:
After that it can be deleted.
UPDATE: Critical Extra Steps Necessary for Answer to Work
Update added Wed. 18 Mar. 2015 ~1:20 PM PDT: it came to my attention in the comments to this answer that someone with sudo access on the system could delete the protected file by renaming the /private/etc directory, then copying all its contents except the sysctl.conf file into a new /private/etc directory, and restarting. This would cause secure level to revert to zero.
To prevent this, after performing the above steps, you should also perform the following commands:
The first command makes the /private directory and its subdirectories unable to be renamed. The second command makes the root-level symbolic link to /private/etc impossible to rename or delete. (The
-hargument makes chflags act upon the symbolic link itself, instead of acting on the target of the symbolic link.)Main Caveats
If you're on a Hackintosh or Mac Pro with an unofficial PC graphics card that has not been flashed with official Apple firmware or something functionally identical to that, this trick won't work. I am not sure if they can boot to single user mode, so if you establish the sysctl.conf file, and set it to schg, it may be like that forever. Which means any files set to schg can never be deleted.
There may be some physical ways to reset the firmware password by removing RAM or delete the file by removing the SSD/HDD and attaching to another computer.
Explanation of Answer
To set a firmware password for your Mac using the steps shown when you google, "how to set a firmware password on a mac". Briefly the steps are:
Reboot in recovery mode
Select Firmware Password Utility from the Utilities menu and set the password
...
PROFIT!
Explanation of Caveats
Note that on Macs with removable RAM, a hacker may be able to reset your firmware password by changing the amount of RAM, then clearing your PRAM a bunch of times. So on Macs like that, take appropriate physical security measures to prevent manual access to the computer's internal components.
Suffice it to say you must get to securelevel 0 for
chflags noschgto work, and normally the only way to get back to securelevel 0 is to reboot in single user mode. Again this might be impossible if your Mac lacks Apple firmware. If you're paranoid/unsure, can see your current securelevel by typingsysctl kern.securelevelin Terminal; it should always be 1 after the steps have been followed unless you're in single user mode!Further notes
As far as I know, and correct me if I'm wrong, but the only way around a firmware password (other than resetting it through the RAM removal trick) is to remove the primary hard disk or SSD from the computer in question, and access it from another computer using a SATA to USB adapter, or something similar. (Government agencies and/or Apple might have a secret, classified backdoor... but if they're after you, then you probably want to delete files, not prevent their deletion :D.)
So, technically speaking, setting schg only really solves your problem with 100% infallibility if you're on one if the newer Macs without replaceable RAM and without a replaceable hard drive (i.e. a Retina MacBook Pro, MacBook Air, etc.) and you set your EFI password, because those are the only Macs without removable RAM or a removeable SSD. (Of course if someone takes out your drive just to delete a file, again, you probably have worse problems, like, dude where's my hard drive?)
The 21.5" iMac's lack of "user-replaceable" RAM makes it a lot harder to circumvent the EFI password and steal RAM, which is probably why Apple made it that way, as it's intended heavily for use in schools where kids can and will circumvent any security measures :D (I know because in my day we used to hack right past AtEase on System 7 to play Marathon...)
On non-21.5" iMacs you can prevent the RAM-removal/firmware-password-reset trick by investing $40-50 in a Maclocks-brand lock for iMac. It goes into the security port and has a metal plate that covers up the power socket where the release for the RAM hatch is. With that physical lock in place, someone would need a diamond saw or similar to delete your schg-protected file... and if people are taking diamond saws to your computers then you have a lot worse problems to worry about than a file getting deleted, like, dude, where's my computer?