Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here. |
Notices |
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Are you new to LinuxQuestions.org? Visit the following links:
Site Howto |
Site FAQ |
Sitemap |
Register Now
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
|
|
07-03-2006, 03:40 AM
|
#1
|
LQ Newbie
Registered: Jul 2006
Posts: 2
Rep:
|
How to protect a file/directory in your home login directory (RH Linux)
I tried to protect a file with root owner (permission 555) inside my home login directory (e.g. /home/demo).
But the file still can be removed/deleted by my login account.
E.g.
user login: demo
home dir : /home/demo
Then I create a file with root owner in /home/demo & with only read & sticky bit.
However, the file still could be removed by 'demo' user.
I also tried to change my home dir (/home/demo) permission to 755 & owned by root. But then I have problem logging into the account using 'demo' user now. It complains it does not permission to write into files.
Any advise ?? thanks.
|
|
|
07-03-2006, 03:56 AM
|
#2
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
man chattr on 'i' flag - if you are on ext[23] fs then 'i' flag should make file immutable. Only settable by root (good).
|
|
|
07-03-2006, 03:59 AM
|
#3
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
The operation of removing, or unlinking a file is an operation on the directory where the file is listed and not on the file itself. So the read-only attributes will not protect it unless the directory it is has the sticky bit set. However the owner of the directory will be able to remove the sticky bit and then remove the file. If the file is in a root owned subdirectory, then it may be protected from deletion if both the directory and file are readonly. I don't think that the regular user can delete the directory if it isn't empty, and since the file is in a root owned directory it is protected.
Someone elses home directory is not a good place for root to be saving files. Maybe if you explained what you are trying to do, someone could suggest another way.
|
|
|
07-03-2006, 07:47 AM
|
#4
|
Senior Member
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515
Rep:
|
I agree with jschiwal. It's a very bad thing to save root's files in other people's home directories.
Not only can they delete the files (unless sticky bit on directory is set and root owns the directory and EVERY parent uptil the / directory), they can also rename or move them, thus changing permissions/ownership.
This way, any "sensitive" information (like passwords) in the file can be read by the normal user.
As jschiwal said, it really depends on what you want to do.
If you want some of your normal users to issue some commands that are typically reserved for root only, try using "sudo" (but use it wisely).
Or try using user groups with specific permissions.
|
|
|
07-03-2006, 07:53 AM
|
#5
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
I guess it is for anauthorized-access (demo username suggests it) box. So some configuration files like .bashrc are immutable. In this case my solution with chattr +i <file> will work.
|
|
|
07-03-2006, 09:02 AM
|
#6
|
LQ Guru
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733
|
I think that you need to use ext2 or ext3 in order to use the chattr command.
Using ulimit, PAM and the permission system may be a better way of restricting what a user can do.
I you make the ~/.bashrc file immutable for example, you prevent legitimate changes to the shell environment.
Using ulimit, PAM, and the permission system are better ways to protect the rest of the system from abuse.
|
|
|
07-03-2006, 09:12 AM
|
#7
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
Quote:
Originally Posted by jschiwal
I think that you need to use ext2 or ext3 in order to use the chattr command.
|
Yes, as I said.
Quote:
Originally Posted by jschiwal
Using ulimit, PAM and the permission system may be a better way of restricting what a user can do.
|
Well, how can I not let user delete a file in his own directory in other way?
Quote:
Originally Posted by jschiwal
I you make the ~/.bashrc file immutable for example, you prevent legitimate changes to the shell environment.
|
In some cases they are not legitimate. If user is not supposed to return to this box with reasonable probability, and login is shared. Something with public access, maybe.
Quote:
Originally Posted by jschiwal
Using ulimit, PAM, and the permission system are better ways to protect the rest of the system from abuse.
|
Sometimes uniform user settings are also needed.
Really, it depends on final purpose.. I see some where chattr is suitable. Topic-starter can say if I guessed.
|
|
|
07-03-2006, 10:34 AM
|
#8
|
Senior Member
Registered: Sep 2005
Location: Out
Posts: 3,307
Rep:
|
Quote:
Originally Posted by raskin
if you are on ext[23] fs
|
Also on XFS, JFS, ReiserFS, NFS, ..
|
|
|
07-03-2006, 10:37 AM
|
#9
|
Senior Member
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900
Rep:
|
Couldn't say about XFS/JFS/ReiserFS - chattr doesn't claim standard conformance, and I haven't used the mentioned filesystems. For NFS it depends on underlying FS, doesn't it?
|
|
|
07-04-2006, 12:08 AM
|
#10
|
LQ Newbie
Registered: Jul 2006
Posts: 2
Original Poster
Rep:
|
Hi thanks for the reply. i tried chattr +i <file>. It works & only the root can remove it (just need to chattr -i <file> to reverse it).
It is exactly what i need. I just need to protect some files inside my authorised-user login, this is to prevent the files being accidentally remove by the user.
|
|
|
All times are GMT -5. The time now is 03:14 AM.
|
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
|
Latest Threads
LQ News
|
|