Making a file read only in guest os through host os or hypervisor
Linux - Virtualization and CloudThis forum is for the discussion of all topics relating to Linux Virtualization and Linux Cloud platforms. Xen, KVM, OpenVZ, VirtualBox, VMware, Linux-VServer and all other Linux Virtualization platforms are welcome. OpenStack, CloudStack, ownCloud, Cloud Foundry, Eucalyptus, Nimbus, OpenNebula and all other Linux Cloud platforms are welcome. Note that questions relating solely to non-Linux OS's should be asked in the General forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Making a file read only in guest os through host os or hypervisor
Hello,
I want make simple file (like text file) accessible to GUEST OS (Root user of guest), READ ONLY but not from the GUEST.
File should be made READ ONLY by HYPERVISOR or HOST .
GUEST should NOT be able to change the READ WRITE PERMISSION of the file.
The possible places for file are GUEST space, HOST space, common/shared space or HYPERVISOR space. Specially I am looking for file residing on guest.
I am specially looking for scenario--
The file resides on GUEST. The HYPERVISOR or HOST make the file READ ONLY so that GUEST is NOT able to WRITE the file. GUEST is NOT able to change READ WRITE PERMISSIONS of the file.
How can I implement this or similar scenario in linux virtualization.
Firstly, why you want to do that? Secondly, what is the logic behind that? Lastly, it is not possible. Why? Here is the answer:
I am breaking down the query you posted:
Quote:
The file resides on GUEST. The HYPERVISOR or HOST make the file READ ONLY so that GUEST is NOT able to WRITE the file. GUEST is NOT able to change READ WRITE PERMISSIONS of the file.
1. The file resides on GUEST. : Now if a file reside on guest then basically it will be owned by someone on the system. Here I am not considering any type of sharing. If you are thinking about sharing a file from HOST or HYPERVISOR then the file practically doesn't belong or reside on GUEST. So in simple term when you say "The file resides on GUEST" it is a local file to guest. If it is a local file to guest then root or any other user who owns it will have full control over it.
If you are thinking about LDAP user creating a local file then also root of the guest system will have full right to remove it or modify it because it belongs the system.
2. The HYPERVISOR or HOST make the file READ ONLY so that GUEST is NOT able to WRITE the file. : Yes HYPERVISOR or HOST can make the file READ ONLY but again as mentioned in point 1 root of GUEST system will have full access to it.
3. GUEST is NOT able to change READ WRITE PERMISSIONS of the file. : Taking into consideration point 1 and 2 this automatically becomes impossible.
The reason I asked you what is the logic or reason behind this setup because it is something like your neighbour putting something in your home forcefully and you are not allowed to do anything about it. It is possible in the scenario wherein you are threatened of consequences in case you mess up. . Otherwise, you have full right to throw it out of your home.
We need this for our academic Project in security doamin. Any alternative if file location changed?
Quote:
Originally Posted by T3RM1NVT0R
Firstly, why you want to do that? Secondly, what is the logic behind that? Lastly, it is not possible. Why? Here is the answer:
I am breaking down the query you posted:
1. The file resides on GUEST. : Now if a file reside on guest then basically it will be owned by someone on the system. Here I am not considering any type of sharing. If you are thinking about sharing a file from HOST or HYPERVISOR then the file practically doesn't belong or reside on GUEST. So in simple term when you say "The file resides on GUEST" it is a local file to guest. If it is a local file to guest then root or any other user who owns it will have full control over it.
If you are thinking about LDAP user creating a local file then also root of the guest system will have full right to remove it or modify it because it belongs the system.
2. The HYPERVISOR or HOST make the file READ ONLY so that GUEST is NOT able to WRITE the file. : Yes HYPERVISOR or HOST can make the file READ ONLY but again as mentioned in point 1 root of GUEST system will have full access to it.
3. GUEST is NOT able to change READ WRITE PERMISSIONS of the file. : Taking into consideration point 1 and 2 this automatically becomes impossible.
The reason I asked you what is the logic or reason behind this setup because it is something like your neighbour putting something in your home forcefully and you are not allowed to do anything about it. It is possible in the scenario wherein you are threatened of consequences in case you mess up. . Otherwise, you have full right to throw it out of your home.
Hey,
Thanks for your answer.
1 You asked why do we need this?
We are doing project in domain virtualization and rootkit. We want to demonstrate a scenario in which a Rootkit (actually a shell script) having rootkit access, present in GUEST is not able to write file present GUEST because the is made write protected from outside the GUEST (HOST or HYPERVISOR).
2 What is logic behind it?
Actually we dont have any certain logic to achieve that yet but we are looking for same.
I suppose hypervisor can observe activities of GUEST.
Now, can hypervisor trace call or access (WRITE ACCESS particularly) to a particular file residing in GUEST only.
According you, hypervisor is not able to block GUEST from accessing file (fro WRITE) owned by GUEST only.
3 You concluded, its not possible to restrict GUEST form writing a file owned by GUEST only through HYPERVISOR or HOST.
What if file resides on HOST or HYPERVISOR space or SHARED space. Then can HOST or HYPERVISOR make the file READ ONLY to GUEST. How do I achieve this ??
As I mentioned in point 1 of my post you said the file should reside on the GUEST. When we say should reside on the GUEST we are talking about the local file not the shared file. A shared file is not practically reside / located on the GUEST instead made accessible to the GUEST. That is the reason I mentioned that while replying I am not taking shared file into consideration
Quote:
3 You concluded, its not possible to restrict GUEST form writing a file owned by GUEST only through HYPERVISOR or HOST.
What if file resides on HOST or HYPERVISOR space or SHARED space. Then can HOST or HYPERVISOR make the file READ ONLY to GUEST. How do I achieve this ??
Definitely possible. When you share a file over the network or between HOST and GUEST, HOST has got full authority to make it read only. Usually file sharing is done via NFS or Samba (even between HOST and GUEST). Here I am talking about KVM or Linux based Hypervisor, I have no idea how it will work with ESXi or with HyperV.
Last edited by T3RM1NVT0R; 03-28-2015 at 12:11 PM.
if you give the guest write access to the block device a file system is on you are giving that guest system write access to everything in that filesystem. this is a big security thing to think about. unlesss YOU control the guest OS.
if you want it the other way around ... for the guest to be able to write but for the host NOT to be able to then you have to make that file flagged that way ... and no filesystem does that. though you MAY be able to get NFS to do it.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.