Normal users can chmod files to make them unaccessible like
evgeniy@ubuntu:~$ touch test
evgeniy@ubuntu:~$ chmod 444 test
evgeniy@ubuntu:~$ echo 'test' > test
bash: test: Permission denied
Can something like this be simulated for the root user?
Asked
Active
Viewed 4,624 times
8
Ev Dolzhenko
- 205
- 2
- 5
-
I hope not, or I'm sure to do it. – Mark Allen Oct 28 '10 at 08:16
-
Go ahead and check the @danlefree's answer ;) – Ev Dolzhenko Oct 30 '10 at 07:22
2 Answers
13
chattr +i * will prevent even the root account from making changes to files in the directory (until chattr -i * is run).
Per Slartibartfast's comments, a few things you should know about chattr and the immutable attribute:
- The immutable bit will prevent a file from being deleted, renamed, linked to, or written to; use
lsattrto display attributes in much the same waylsdisplays ownership and permissions - You can prevent the immutable bit from being unset (even by root) by changing the
CAP_LINUX_IMMUTABLEflag - to do so you'll want to install libcap, but it's only fair warning that capabilities are poorly documented (at best)
danlefree
- 2,923
- 1
- 19
- 20
-
It is worth mentioning for purposes of helping people find this answer that chattr +i makes the file immutable. – Slartibartfast Oct 29 '10 at 02:20
5
SELinux can be used to mark a file as unwriteable by root in the current domain and user role.
Ignacio Vazquez-Abrams
- 45,939
- 6
- 79
- 84
-
-
SELinux must be considered as untrustworthy as OpenSSL with the Heartbleed and RNG patches that came from the same source. (Namely the NSA.) There are alternatives though. The common name for such solutions is “RBAC” (role-based access-control) in specific or “MAC” (mandatory access control) in general. – Evi1M4chine Nov 08 '22 at 02:37