LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 05-11-2009, 04:22 AM   #1
senseproof
Member
 
Registered: May 2009
Distribution: Fedora 10
Posts: 31
Blog Entries: 5

Rep: Reputation: 16
Make a file as difficult to change as possible, even for root.


Hello

This is a strange one. I want to make a file as difficult to change as possible, even for myself. Why? Because I keep changing it even though I know I shouldn't and the result is always bad.

The appropriate place to apply this bugfix is between the keyboard and the chair but that code is so broken generating a patch file would be a nightmare.

What can I do beyond
Code:
chattr +i /the/file
and mounting it on a separate read-only partition that will make it as hard for me change it as possible? It doesn't matter if it's possible to change it with huge effort, but it would be nice if it could be made to take at least 30 minutes effort to undo all the restrictions. All suggestions welcome
 
Old 05-11-2009, 06:21 AM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,042

Rep: Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761Reputation: 761
You could write a daemon that monitors that file and triggers a cattle prod if any attempt to change it is made; hook the cattle prod to the chair seat and there you go...

Other than that, nope, not much else you can do -- just remember that if you head hurts, stop banging it against the wall, eh?
 
Old 05-11-2009, 06:32 AM   #3
bsdunix
Senior Member
 
Registered: May 2006
Distribution: Caldera, CTOS, Debian, FreeBSD, Mac OS X, Mandrake, Minix, OpenBSD, Slackware, SuSE
Posts: 1,757

Rep: Reputation: 79
Not knowing what the file is, copy it to a CDFS, delete the original on the hard drive, and mount the read-only CDFS. Of course this dosen't prevent the PEBKAC from abusing the CDFS.
 
Old 05-11-2009, 07:58 AM   #4
pierre2
Member
 
Registered: May 2009
Location: Perth, AU
Distribution: LinuxMint
Posts: 336
Blog Entries: 7

Rep: Reputation: 73
chattr +i /the/file

should work - providing you don't

chattr +a /the/file

But you wouldn't do something like that would you ?????
 
Old 05-11-2009, 12:13 PM   #5
sarin
Member
 
Registered: May 2001
Location: India, Kerala, Thrissur
Distribution: FC 7-10
Posts: 354
Blog Entries: 2

Rep: Reputation: 34
Why don't you just turn on version control for this file? May be you can use git or similar tool. This way, you will always get back your original file.

And, here is a weird way to make it read-only. Write a kernel module which will create a /proc entry. Make the read function return the contents of the file and do not provide write support. Compile and insert module. Edit your init scripts to bind the /proc folder to the folder where your file is currently present or create appropriate sym links.
 
Old 05-11-2009, 05:37 PM   #6
senseproof
Member
 
Registered: May 2009
Distribution: Fedora 10
Posts: 31
Blog Entries: 5

Original Poster
Rep: Reputation: 16
Quote:
Originally Posted by sarin View Post
And, here is a weird way to make it read-only. Write a kernel module which will create a /proc entry. Make the read function return the contents of the file and do not provide write support. Compile and insert module. Edit your init scripts to bind the /proc folder to the folder where your file is currently present or create appropriate sym links.
Genius Compile it statically into the kernel! That should do it so long as I clean up after the build. Very cool solution.
 
  


Reply

Tags
chattr, immutable


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Make a file as difficult to change as possible, even for root. senseproof Linux - Security 0 05-11-2009 04:20 AM
lets make things more difficult than they need be. jukebox55 General 10 03-16-2008 06:22 PM
How to make a command actually change a file tongar Linux - Newbie 3 01-06-2006 09:18 PM
Root cannot change file permissions. aje Slackware 3 08-12-2005 02:27 AM
Root can't change file permissions!!!!!! j_pooria Fedora 1 08-19-2004 03:29 AM


All times are GMT -5. The time now is 05:51 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration