How to restrict root user to delete a file or directories
 

Hi,

is there any way so that we can restrict root to delete a file/directories and What is extended file attributes.

can someone please suggest a good book for system administration concepts which contains concepts like above.

Not really, because root is the main administrator account. If you are so worried about files or folders being deleted as root, I would recommend to move them to another storage location, such as a portable hard drive or flash drive.

Hi,

You can restrict but not stop root from deleting files/directories.

Using the chattr you can make files/dirs immutable, which will render rm etc useless (also true for root). But as stated by corp769, root can use chattr to undo the changes and afterwards is able to remove those files and dirs.

For root, using chattr would be an extra layer, which would at least prevent accidental removal/change.

Anyway: chattr +i file to set immutable flag and chattr -i file to remove. Do have a look at the chattr and lsattr man pages.

Hope this helps.

Yeah you could definitely do that, but as you said man, root would easily remove the flag, so setting the +i flag would technically be pointless.

Hi,
That depends. From a security point of view: You are 100% correct. If, on the other hand you want to protect your files from accidental changes (including removal), it could be useful.

I've worked on proprietary Unix machines were just about everything had to be done as root user, certain key files and directories where made immutable just to make sure they were not accidentally removed. This was done after a tested script removed a big chunk of files and directories (script was tested, but this bug wasn't noticed/tested).

So making files/dirs immutable has its uses, even for the root user.

One should be able to stop root from deleting certain files and directories using a SELinux MLS policy.
I doubt you'll find a ready to use drop-in policy example for that on the 'net though.

you can encrypt your home directory thats all you can do, as in ubuntu, try to explore the same thing in your distribution also , and make use know before marking this post as [solved]

I do see your point man, but for me, security comes first.

Root can do on your machine what he wants, because he is root. If you restrict him, he will be able to remove restriction.
I think this is the wrong approach to security. In the first place I would ask me why I have a root that must be restricted. If you can't trust your root then fire him (but change his password before telling him).

For day to day operations one should not need to be root. You create a user with just enough permissions to do your day to day work and use it. On those rare occasions when you really must be root, the su - into it.

If you cannot trust your root user, get rid of him ASAP. It will take him no time at all to Fubar your system if he so wishes. Remember he can see(read) anything on any users account (email, etc). It is really easy to create(and bury) a cron job that checks to see if root(the bad guy)has checked in this week and if not delete/erase random parts of the HD(much worse than if he would delete everything and virtually impossible to find without doing a clean install).

"sudo" is a good tool for giving users restricted root-like privileges for certain tasks. Different users can have different rights as defined in /etc/sudoers so for example you could allow a user to perform limited administration tasks but not to delete system file or directories.

http://en.wikipedia.org/wiki/Sudo

But how you stop root from temporarily disabling SELinux?



Cheers,
Tink

Maybe it's possible to patch/config that out at kernel compile time like you would do with say a GRSecurity-enabled kernel?