Preventing root from writing the files
 

Hello,

Here is my question. I have created a group directory named "test" and set the ownership of this directory to group named testers and no particular user. Now i wanted that only members of group "testers" should be able to edit files created into this directory and no other user not even root.

I gave appropriate permissions as 2070 to this directory and assigned ownership as "nobody.testers". Now to prevent the files from being modified by root i set the immutable bit on the file using "chattr +i" command. But this makes file not modified by any user not even by members of the group testers.

So could you please let me know how can i make this work by which i mean that only group members should be able to modify the files and no one else not even root.

Thanks.

Hello,

AFAIK there is no way to get this behaviour in Linux, as root has all permissions by design.

But maybe I am wrong, in which case I would be pleased to know how to get this solved.

Then see if you can change it as root.

Here is something similar if you didn't want the not-root owner to be able to edit or read the file:
The owner will not be able to read or write the file even though group permissions allow it.
However the owner could use chmod to enable permissions.

To restrict root access, you would need to use selinux restrictions. The root user however could change these restrictions as well. It is better to control who has root access, and have policies on how they use it.

Hi jschiwal,

Thanks for the answer, however my question is i do not want the root to be able to edit the file but the file owner should be. Lets take the example file you mentioned
Now in such a case i would want only the members of group testers to do write operations on file testfile2, other than that no should be able to do that not even root. So is it possible in first place ? If yes then how, as i mentioned i tried setting immutable bit on the file but that protects everyone from modifying the file.

Thanks

No i can not change the file if i set immutable bit on the file but in that case even the file owner also is unable to modify the file. Anyways thanks for the reply

Thanks Didier,

Yeah to me also it seems that i could not be possible, however i saw this in one of the older red hat exam questions, so thought of giving it a shot but couldn't do it so posted here to see if it could be done.

Thanks

Applying so much fine grained permissions requires heavy work and modification on the system.

You can try the GRSecurity kernel patch. Other advanced access control systems should work. I haven't used GRSecurity in a while, and I think it would present some problems in this scenario, so please, check out by yourself.

from jschiwal is key here.
In *nix, root is all-powerful ie even if you fix it so he/she can't trivially edit a file, they can always undo your restrictions.
The only way to prevent it is to encrypt the file and keep the encryption key off the system.

I should have added "after a reboot".
Are you concerned with a normal admin, or someone breaking in and gaining root access?

You could record the hashes of the files and store the list also offline, to be assured files weren't modified. Git has cryptographic safeguards. Maybe you could run a get repository instead of a shared directory.