Can I use file attributes with ReiserFS

HGeneAnthony · 04-30-2006, 11:08 AM

I have a Debian Sarge system set up and I tried changing a file to make it immutable. It set the flag and lsattr showed that the flag was set. However, I was able to delete the file. I noticed online some articles saying that ReiserFS was not able to use file attributes. However, I find it strange that I was able to set the option and it echoed the result. Shouldn't I have received an error saying this file system doesn't support file attributes or something? Is there a way to get file attributes with ReiserFS?

David the H. · 04-30-2006, 06:38 PM

ReiserFS isn't your problem. I think you've got the whole permissions concept wrong. Write permission affects whether the contents of the file can be changed, but it doesn't protect the file as a whole. For that, you need to modify the directory permissions. If the user has write permission to the directory, he can create or delete files in it.

It will make more sense if you think of a directory not as a container, but as a file itself, one that contains a list of other files inside it. Only someone who can modify that list can add or remove entries (files) from it.

HGeneAnthony · 04-30-2006, 10:54 PM

Unless I'm mistaken the immutable tag overrides folder options on the file. I've used it in the past and I'm almost positive it works this way. In fact I have a copy of Hardening Linux in front of me and here's there test instructions:

# touch log
# chattr +a log
# lsattr
# -----a------- ./log

This obviously is a file having the append-only option applied. If it didn't work, by itself, it would serve no purpose. Unfortunately, I don't have a box with a ext3 filesystem so I can't test my theory right now.

David the H. · 05-01-2006, 06:39 AM

Ok, maybe I misunderstood, sorry. Is this one of the advanced permission tags that most people don't use or something? Perhaps ReiserFS doesn't support those. I'm no expert on Linux security.

(I've got to start paying more attention to which forum the 0-Reply threads are in before I reply.

)

HGeneAnthony · 05-01-2006, 07:05 AM

Yeah, they are. I just reinstalled my Debian system (using an ext3 filesystem this time) and now they work.

For a hardened system they're great. They can make it impossible for people to modify or delete log files, however they can still be appended to. You can use them on files you want to make sure can never change. There's quite a few switches. The thing about them is, even though files become immutable by even root, all you have to do is shut off the flag and you can then delete them. However, you can download the lcap utility which lets you change some kernel options so that you can disable certain flags. Even though you can no longer set a flag, any flags already set are honored. Once the lcap shuts off a flag it cannot be turned on or used again until you reboot the system. What you can do though is create a script which sets it to automatically disable the flags on every boot so you can then have files that can never be deleted or modified. I set it to auto start on all runlevels with networking enabled. This way you have a back door into your system if you need it. BSD uses a similar method called secure levels. I'd recommend setting it on log files. You can use the append flag and the files can be added to but never modified or deleted. If an attacker gets into your system they can't remove their tracks which might scare them off before they do any damage. To make sure an attacker can't disable the script and reboot the system you can even use the switch on the script before you turn it off. This also gives you the comfort of knowing certain files haven't been comprimised and can't. If used well it's a good security tool.