ESXi 7.X file permissions - how to buypass new security measures

Solution 1:

As already stated by Chopper3, you really shouldn't, by design, run anything except ESXi on a vSphere host. And this new security measure is just in line with that, as locking down the filesystem gives tremendous security improvements.

Also, keep in mind that in a lot of larger environments ESXi might not even have persistent storage, as hosts are PXE booted over the network with ESXi and just keep what they need in RAM.

The way forward regarding this is to use PowerCLI as you've already identified.

Solution 2:

I agree with the other contributions about not doing anything "inside" ESXi, but manage it remotely with the supported tools like PowerCLI.

However, I also want to help you with your original question: Even in ESXi 7.0 some files can still be edited, e.g. /etc/rc.local.d/local.sh. This script will be executed by /etc/rc.local, so you can add your commands there.

You just need to be aware that this script will not be executed if you have UEFI Secure boot enabled on your host.