bom-safety.py applies the protections
bom-unsafety.py reverses the whole process
The safety script does basically the following:
* Set the sticky bit on /Library/Receipts
* Set the sticky bit on the paths down to each of the critical BOMs
* Unset the group-write bit on the critical BOMs
* Create root-owned 0-length place holders for critical BOMs/paths
that don't exist
* Backup /Library/Receipts/BaseSystem.pkg/Contents/Archive.bom
* Make a 1-bit change to
/Library/Receipts/BaseSystem.pkg/Contents/Archive.bom that causes
"repair permissions" to keep the sticky bit set on /Library/Receipts
rather than removing it.
* Print a completed message
Bear in mind that the permissions might get nobbled again if you
install Xcode Tools, X11 or anything which changes the "magic" boms.