Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Here is my question. I have created a group directory named "test" and set the ownership of this directory to group named testers and no particular user. Now i wanted that only members of group "testers" should be able to edit files created into this directory and no other user not even root.
I gave appropriate permissions as 2070 to this directory and assigned ownership as "nobody.testers". Now to prevent the files from being modified by root i set the immutable bit on the file using "chattr +i" command. But this makes file not modified by any user not even by members of the group testers.
So could you please let me know how can i make this work by which i mean that only group members should be able to modify the files and no one else not even root.
The owner will not be able to read or write the file even though group permissions allow it.
However the owner could use chmod to enable permissions.
To restrict root access, you would need to use selinux restrictions. The root user however could change these restrictions as well. It is better to control who has root access, and have policies on how they use it.
The owner will not be able to read or write the file even though group permissions allow it. This is the case for
However the owner could use chmod to enable permissions.
To restrict root access, you would need to use selinux restrictions. The root user however could change these restrictions as well. It is better to control who has root access, and have policies on how they use it.
Hi jschiwal,
Thanks for the answer, however my question is i do not want the root to be able to edit the file but the file owner should be. Lets take the example file you mentioned
Now in such a case i would want only the members of group testers to do write operations on file testfile2, other than that no should be able to do that not even root. So is it possible in first place ? If yes then how, as i mentioned i tried setting immutable bit on the file but that protects everyone from modifying the file.
Thanks
Last edited by Rohit_4739; 04-07-2012 at 02:53 AM.
No i can not change the file if i set immutable bit on the file but in that case even the file owner also is unable to modify the file. Anyways thanks for the reply
AFAIK there is no way to get this behaviour in Linux, as root has all permissions by design.
But maybe I am wrong, in which case I would be pleased to know how to get this solved.
Thanks Didier,
Yeah to me also it seems that i could not be possible, however i saw this in one of the older red hat exam questions, so thought of giving it a shot but couldn't do it so posted here to see if it could be done.
Applying so much fine grained permissions requires heavy work and modification on the system.
You can try the GRSecurity kernel patch. Other advanced access control systems should work. I haven't used GRSecurity in a while, and I think it would present some problems in this scenario, so please, check out by yourself.
Last edited by BlackRider; 04-07-2012 at 06:52 AM.
The root user however could change these restrictions as well
from jschiwal is key here.
In *nix, root is all-powerful ie even if you fix it so he/she can't trivially edit a file, they can always undo your restrictions.
The only way to prevent it is to encrypt the file and keep the encryption key off the system.
I should have added "after a reboot".
Are you concerned with a normal admin, or someone breaking in and gaining root access?
You could record the hashes of the files and store the list also offline, to be assured files weren't modified. Git has cryptographic safeguards. Maybe you could run a get repository instead of a shared directory.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.