| View previous topic :: View next topic |
| Author |
Message |
wokick
Tux's lil' helper
Joined: 27 Sep 2004
Posts: 97
|
 Posted: Fri Feb 15, 2008 7:20 pm Post subject: Make a file uneditable |
 |
|
Hi,
Is there a way to make a text file uneditable even by root?
Read permission is ok.
BTW: I have the root access to the system. |
|
| Back to top |
|
 |
eXt
n00b
Joined: 09 Oct 2005
Posts: 66
Location: Sweden
|
| Posted: Fri Feb 15, 2008 7:35 pm Post subject: |
|
|
| I don't believe it is possible to set some magic attribute but you could place the file on a separate partition and mount it read-only and then create a symlink. Now, why you would want a file to be read-only to root? |
|
| Back to top |
|
|
linuxtuxhellsinki
l33t
Joined: 15 Nov 2004
Posts: 700
Location: Hellsinki
|
| Posted: Fri Feb 15, 2008 7:50 pm Post subject: |
|
|
If you use ext2/3 filesystem then you can add immutable-flag with "chattr"-command as you can see from this example...
| Code: | hellsinki ~ # touch file
hellsinki ~ # chattr +i file
hellsinki ~ # echo blaa >> file
-su: file: Permission denied
hellsinki ~ # rm -f file
rm: cannot remove `file': Operation not permitted |
_________________
1st use 'Search' & lastly add [Solved] to
the subject of your first post in the thread. |
|
| Back to top |
|
|
MostAwesomeDude
Guru
Joined: 12 Aug 2007
Posts: 373
|
| Posted: Sat Feb 16, 2008 2:32 am Post subject: |
|
|
One of the most important things about root is that you are not forbidden from any part of the system. What is this for?
_________________
Don't believe the "n00b" under my name. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23070
|
| Posted: Sat Feb 16, 2008 3:12 am Post subject: |
|
|
| The superuser can also remove the immutable attribute. Marking a file as immutable is fine if you just want to stop a program from accidentally overwriting the file, but it will not prevent an informed superuser from modifying the file. If you need that, look into using SELinux or GRsecurity to restrict the permissions available to processes running as root. |
|
| Back to top |
|
|
padoor
Advocate
Joined: 30 Dec 2005
Posts: 4185
Location: india
|
| Posted: Sat Feb 16, 2008 5:21 am Post subject: |
|
|
the surest way is to put the file in cd. so no one can overwrite. you can mount it and use as root /user .
_________________
reach out a little bit more to catch it (DON'T BELIEVE the advocate part under my user name) |
|
| Back to top |
|
|
linuxtuxhellsinki
l33t
Joined: 15 Nov 2004
Posts: 700
Location: Hellsinki
|
| Posted: Sat Feb 16, 2008 9:36 am Post subject: |
|
|
| Hu wrote: | | The superuser can also remove the immutable attribute. Marking a file as immutable is fine if you just want to stop a program from accidentally overwriting the file, but it will not prevent an informed superuser from modifying the file. If you need that, look into using SELinux or GRsecurity to restrict the permissions available to processes running as root. |
& superuser cannot turn 'em off 
_________________
1st use 'Search' & lastly add [Solved] to
the subject of your first post in the thread. |
|
| Back to top |
|
|
Hu
Administrator
Joined: 06 Mar 2007
Posts: 23070
|
| Posted: Sat Feb 16, 2008 4:13 pm Post subject: |
|
|
| linuxtuxhellsinki wrote: | | Hu wrote: | | The superuser can also remove the immutable attribute. Marking a file as immutable is fine if you just want to stop a program from accidentally overwriting the file, but it will not prevent an informed superuser from modifying the file. If you need that, look into using SELinux or GRsecurity to restrict the permissions available to processes running as root. |
& superuser cannot turn 'em off |
That depends on exactly how super a superuser you mean. The goal of the various RBAC projects is that having a user id of root does not automatically give you permission to do every privileged operation on the system. For instance, the NTP daemon needs root access to change the system time, but does not need permission to rewrite /etc/passwd. An RBAC system would allow you to write a policy that enforces that separation of permission.
Even under an RBAC system, there can be an all-powerful superuser with the ability to change policy or disable the RBAC system entirely. However, it is traditional that the all-powerful superuser is used only for these tasks. No daemon should ever run in that context, and even most other system administration should not be done in that context. In such a configuration, attaining the all-powerful superuser role would require that an attacker obtain the password which protects that role, or find a privilege escalation bug in the kernel. If the right protection measures are employed, it should be possible to require that the attacker be at the system console to obtain full access. Also, it should be possible to configure an RBAC system in such a way that it is impossible to turn it off without rebooting, but this is not a common configuration. |
|
| Back to top |
|
|
linuxtuxhellsinki
l33t
Joined: 15 Nov 2004
Posts: 700
Location: Hellsinki
|
| Posted: Sat Feb 16, 2008 4:58 pm Post subject: Re: Make a file uneditable |
|
|
| wokick wrote: | | BTW: I have the root access to the system. |
Yeah, I know the principles of GRsecurity and SELinux etc. but I think that those are little bit overkill for him. And the only way to restrict root from writing to the file is what padoor suggested, burn the file in CD and make a symbolic link to it 
_________________
1st use 'Search' & lastly add [Solved] to
the subject of your first post in the thread. |
|
| Back to top |
|
|
MostAwesomeDude
Guru
Joined: 12 Aug 2007
Posts: 373
|
| Posted: Sat Feb 16, 2008 6:24 pm Post subject: |
|
|
We still haven't heard back from the TC. Exactly why does he need this?
_________________
Don't believe the "n00b" under my name. |
|
| Back to top |
|
|
|
Networking & Security
