> maybe we could make it remove the flags iff you are root and *two* -f
> are given (and no -i)?  ie, make it *very* hard to shoot yourself in
> the foot, but still provide a gun, powder, bullets...

Well, I think I prefer to manually remove the immutable flag. You really
have to think about it. typing two -f seems too easy.

What about this?

if user is non root
  if no flag is set: remove file
  if uchg is set: fail
  if schg is set: fail
if user is root
  if no flag is set: remove file
  if uchg flag is set
    if -f is not used: fail
    if -f is used
      if the file is owned by root: fail
      if the file is owned by anybody else: remove uchg and remove file
  if schg flag is set: fail

-- 
Emmanuel Dreyfus
Exploring MacOS X bowels: "The more I look into this, 
the darker and scarier it becomes" (Christos Zoulas)
manu@netbsd.org