LinuxQuestions.org
Share your knowledge at the LQ Wiki.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-06-2012, 04:05 PM   #1
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Rep: Reputation: 9
Preventing root from writing the files


Hello,

Here is my question. I have created a group directory named "test" and set the ownership of this directory to group named testers and no particular user. Now i wanted that only members of group "testers" should be able to edit files created into this directory and no other user not even root.

I gave appropriate permissions as 2070 to this directory and assigned ownership as "nobody.testers". Now to prevent the files from being modified by root i set the immutable bit on the file using "chattr +i" command. But this makes file not modified by any user not even by members of the group testers.

So could you please let me know how can i make this work by which i mean that only group members should be able to modify the files and no one else not even root.

Thanks.
 
Old 04-06-2012, 04:18 PM   #2
Didier Spaier
LQ Addict
 
Registered: Nov 2008
Location: Paris, France
Distribution: Slint64-15.0
Posts: 11,048

Rep: Reputation: Disabled
Hello,

AFAIK there is no way to get this behaviour in Linux, as root has all permissions by design.

But maybe I am wrong, in which case I would be pleased to know how to get this solved.
 
Old 04-06-2012, 07:50 PM   #3
jefro
Moderator
 
Registered: Mar 2008
Posts: 21,937

Rep: Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619Reputation: 3619
Then see if you can change it as root.
 
Old 04-06-2012, 08:07 PM   #4
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
Here is something similar if you didn't want the not-root owner to be able to edit or read the file:
Code:
----rw-r-- 1 jschiwal jschiwal 9334 Apr  6 19:58 testfile2
The owner will not be able to read or write the file even though group permissions allow it.
However the owner could use chmod to enable permissions.

To restrict root access, you would need to use selinux restrictions. The root user however could change these restrictions as well. It is better to control who has root access, and have policies on how they use it.

Last edited by jschiwal; 04-07-2012 at 03:00 AM.
 
1 members found this post helpful.
Old 04-07-2012, 02:51 AM   #5
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by jschiwal View Post
Here is something similar if you didn't want the not-root owner to be able to edit or read the file:
Code:
----rw-r-- 1 jschiwal jschiwal 9334 Apr  6 19:58 testfile2
The owner will not be able to read or write the file even though group permissions allow it. This is the case for
However the owner could use chmod to enable permissions.

To restrict root access, you would need to use selinux restrictions. The root user however could change these restrictions as well. It is better to control who has root access, and have policies on how they use it.
Hi jschiwal,

Thanks for the answer, however my question is i do not want the root to be able to edit the file but the file owner should be. Lets take the example file you mentioned
Quote:
----rwx--- 1 nobody testers 9334 Apr 6 19:58 testfile2
Now in such a case i would want only the members of group testers to do write operations on file testfile2, other than that no should be able to do that not even root. So is it possible in first place ? If yes then how, as i mentioned i tried setting immutable bit on the file but that protects everyone from modifying the file.

Thanks

Last edited by Rohit_4739; 04-07-2012 at 02:53 AM.
 
Old 04-07-2012, 02:56 AM   #6
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by jefro View Post
Then see if you can change it as root.
No i can not change the file if i set immutable bit on the file but in that case even the file owner also is unable to modify the file. Anyways thanks for the reply
 
Old 04-07-2012, 02:59 AM   #7
Rohit_4739
Member
 
Registered: Oct 2010
Distribution: Red Hat
Posts: 228

Original Poster
Rep: Reputation: 9
Quote:
Originally Posted by Didier Spaier View Post
Hello,

AFAIK there is no way to get this behaviour in Linux, as root has all permissions by design.

But maybe I am wrong, in which case I would be pleased to know how to get this solved.
Thanks Didier,

Yeah to me also it seems that i could not be possible, however i saw this in one of the older red hat exam questions, so thought of giving it a shot but couldn't do it so posted here to see if it could be done.

Thanks
 
Old 04-07-2012, 06:50 AM   #8
BlackRider
Member
 
Registered: Aug 2011
Posts: 295

Rep: Reputation: 101Reputation: 101
Applying so much fine grained permissions requires heavy work and modification on the system.

You can try the GRSecurity kernel patch. Other advanced access control systems should work. I haven't used GRSecurity in a while, and I think it would present some problems in this scenario, so please, check out by yourself.

Last edited by BlackRider; 04-07-2012 at 06:52 AM.
 
Old 04-13-2012, 01:05 AM   #9
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Rocky 9.2
Posts: 18,348

Rep: Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749Reputation: 2749
Quote:
The root user however could change these restrictions as well
from jschiwal is key here.
In *nix, root is all-powerful ie even if you fix it so he/she can't trivially edit a file, they can always undo your restrictions.
The only way to prevent it is to encrypt the file and keep the encryption key off the system.
 
Old 04-13-2012, 01:06 PM   #10
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682Reputation: 682
I should have added "after a reboot".
Are you concerned with a normal admin, or someone breaking in and gaining root access?

You could record the hashes of the files and store the list also offline, to be assured files weren't modified. Git has cryptographic safeguards. Maybe you could run a get repository instead of a shared directory.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Preventing root login jmc1987 Linux - Newbie 2 11-18-2011 04:22 PM
not able to start bind:SELinux is preventing the named daemon from writing to the zon abhijit_mohanta Fedora 5 09-01-2009 05:03 PM
fedora bind start problem: SELinux is preventing the named daemon from writing to the abhijit_mohanta Linux - Networking 1 08-31-2009 08:03 AM
moving files from a location to other, preventing to move incomplete files pogo123 Programming 8 11-14-2008 06:21 AM
moving files from a location to other, preventing to move incomplete files pogo123 Linux - Newbie 2 11-13-2008 01:57 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 01:57 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration