LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 07-03-2006, 03:40 AM   #1
jitsenho
LQ Newbie
 
Registered: Jul 2006
Posts: 2

Rep: Reputation: 0
Question How to protect a file/directory in your home login directory (RH Linux)


I tried to protect a file with root owner (permission 555) inside my home login directory (e.g. /home/demo).
But the file still can be removed/deleted by my login account.

E.g.
user login: demo
home dir : /home/demo
Then I create a file with root owner in /home/demo & with only read & sticky bit.
However, the file still could be removed by 'demo' user.

I also tried to change my home dir (/home/demo) permission to 755 & owned by root. But then I have problem logging into the account using 'demo' user now. It complains it does not permission to write into files.

Any advise ?? thanks.
 
Old 07-03-2006, 03:56 AM   #2
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
man chattr on 'i' flag - if you are on ext[23] fs then 'i' flag should make file immutable. Only settable by root (good).
 
Old 07-03-2006, 03:59 AM   #3
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
The operation of removing, or unlinking a file is an operation on the directory where the file is listed and not on the file itself. So the read-only attributes will not protect it unless the directory it is has the sticky bit set. However the owner of the directory will be able to remove the sticky bit and then remove the file. If the file is in a root owned subdirectory, then it may be protected from deletion if both the directory and file are readonly. I don't think that the regular user can delete the directory if it isn't empty, and since the file is in a root owned directory it is protected.

Someone elses home directory is not a good place for root to be saving files. Maybe if you explained what you are trying to do, someone could suggest another way.
 
Old 07-03-2006, 07:47 AM   #4
timmeke
Senior Member
 
Registered: Nov 2005
Location: Belgium
Distribution: Red Hat, Fedora
Posts: 1,515

Rep: Reputation: 61
I agree with jschiwal. It's a very bad thing to save root's files in other people's home directories.
Not only can they delete the files (unless sticky bit on directory is set and root owns the directory and EVERY parent uptil the / directory), they can also rename or move them, thus changing permissions/ownership.
This way, any "sensitive" information (like passwords) in the file can be read by the normal user.

As jschiwal said, it really depends on what you want to do.
If you want some of your normal users to issue some commands that are typically reserved for root only, try using "sudo" (but use it wisely).
Or try using user groups with specific permissions.
 
Old 07-03-2006, 07:53 AM   #5
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
I guess it is for anauthorized-access (demo username suggests it) box. So some configuration files like .bashrc are immutable. In this case my solution with chattr +i <file> will work.
 
Old 07-03-2006, 09:02 AM   #6
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I think that you need to use ext2 or ext3 in order to use the chattr command.
Using ulimit, PAM and the permission system may be a better way of restricting what a user can do.

I you make the ~/.bashrc file immutable for example, you prevent legitimate changes to the shell environment.
Using ulimit, PAM, and the permission system are better ways to protect the rest of the system from abuse.
 
Old 07-03-2006, 09:12 AM   #7
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Quote:
Originally Posted by jschiwal
I think that you need to use ext2 or ext3 in order to use the chattr command.
Yes, as I said.

Quote:
Originally Posted by jschiwal
Using ulimit, PAM and the permission system may be a better way of restricting what a user can do.
Well, how can I not let user delete a file in his own directory in other way?

Quote:
Originally Posted by jschiwal
I you make the ~/.bashrc file immutable for example, you prevent legitimate changes to the shell environment.
In some cases they are not legitimate. If user is not supposed to return to this box with reasonable probability, and login is shared. Something with public access, maybe.

Quote:
Originally Posted by jschiwal
Using ulimit, PAM, and the permission system are better ways to protect the rest of the system from abuse.
Sometimes uniform user settings are also needed.
Really, it depends on final purpose.. I see some where chattr is suitable. Topic-starter can say if I guessed.
 
Old 07-03-2006, 10:34 AM   #8
nx5000
Senior Member
 
Registered: Sep 2005
Location: Out
Posts: 3,307

Rep: Reputation: 57
Quote:
Originally Posted by raskin
if you are on ext[23] fs
Also on XFS, JFS, ReiserFS, NFS, ..
 
Old 07-03-2006, 10:37 AM   #9
raskin
Senior Member
 
Registered: Sep 2005
Location: France
Distribution: approximately NixOS (http://nixos.org)
Posts: 1,900

Rep: Reputation: 69
Couldn't say about XFS/JFS/ReiserFS - chattr doesn't claim standard conformance, and I haven't used the mentioned filesystems. For NFS it depends on underlying FS, doesn't it?
 
Old 07-04-2006, 12:08 AM   #10
jitsenho
LQ Newbie
 
Registered: Jul 2006
Posts: 2

Original Poster
Rep: Reputation: 0
Hi thanks for the reply. i tried chattr +i <file>. It works & only the root can remove it (just need to chattr -i <file> to reverse it).
It is exactly what i need. I just need to protect some files inside my authorised-user login, this is to prevent the files being accidentally remove by the user.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
password protect a directory in Linux sailu_mvn Linux - Software 6 05-24-2006 03:20 PM
How to get home directory of a login user lucky6969b Programming 5 02-20-2006 02:46 AM
how to locate file in home directory learnfast Linux - Newbie 3 03-14-2005 08:15 AM
Protect File: how to monitor directory effectively? iclinux Programming 1 12-30-2004 04:02 AM
login error: home directory supposedly doesn't exist jmelton Linux - General 3 11-30-2003 01:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 03:14 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration