IT Questions and Answers :)

Wednesday, November 20, 2019

Assuming all features are supported, on a *NIX system, what is the best way to protect an existing $file on an Extended Filesystem (ext#) partition from any changes and set maximum access restriction? (Prompts: $ = non-root user; # = root user.)

Assuming all features are supported, on a *NIX system, what is the best way to protect an existing $file on an Extended Filesystem (ext#) partition from any changes and set maximum access restriction? (Prompts: $ = non-root user; # = root user.)

  • $ chmod 000 $file && chown root:root $file
  • $ chmod 1744 $file && chown root:root $file
  • # chown root:root $file && chmod 1000 $file && chattr +iu $file
  • # chmod 400 $file && chown root:root $file && chattr +i $file 

 

EXPLANATION

chown root:root $file sets the user and group "root" as the owner of the file. chmod 1000 $file sets the sticky bit to 1, which means that only the owner can delete the file, and the zeroes mean that the owner, group, and world (other), respectively, have no access permissions on the file.
A component of the e2fsprogs package, chattr +iu sets the file to immutable (+i), so even root cannot change it, and sets the file to undeletable (+u) so that it cannot be deleted.
This answer assumes 1) that the user has permissions to set all flags & 2) that the +u flag in chattr is supported by the Linux kernel and the filesystem on which the file is written.
For documentation, see:
https://docs.oracle.com/cd/E19683-01/816-4883/secfile-69/index.html
http://permissions-calculator.org/
Note: for more realistic (real-world) command-line options, one would allow root to read the file with chmod 1400; and since chattr +i sets the file to immutable, it will not be deletable, so chattr +u is unnecessary.
Share:

0 comments:

Post a Comment

Popular Posts