If I would like to lock a file as read-only. Even root can not use an editor to modify it, just allowing any program to open it read-only.
Any suggestions?
Asked
Active
Viewed 7,798 times
12
-
3What is your use case for this? – Gabe Aug 01 '13 at 03:42
-
8Nope. Root can do anything. That's what it means to be root. – Matt Ball Aug 01 '13 at 03:43
-
Root cannot write to `/proc/kcore` – OmnipotentEntity Aug 01 '13 at 05:38
-
Try `chmod -R a-x /` as `root`. Now even root won't be able to do anything! – devnull Aug 01 '13 at 07:23
3 Answers
24
There is an "immutable" bit for files.
Programs (even running as root) won't be able to tamper with the file. Of course, root can un-do the bit, but most programs (especially non-malicious ones) won't get past it.
Set it with
sudo chattr +i file
Quanlong
- 24,028
- 16
- 69
- 79
BraveNewCurrency
- 12,654
- 2
- 42
- 50
-
1You can undo this by doing `chattr -i file`. How would you make this "immutable" bit immutable itself? I had read in a book that you could remove the `cap_linux_immutable` capability to root, so that root couldn't change the immutable bit any longer without rebooting the computer. The file was thus not totally immutable but you had to reboot with a different capability setting if you wanted to use `chattr` to reverse the immutable bit. I wish I found a way to do this today but I can't find a way now, it seems the utility that permitted this (`lcap`) is no longer part of the main linux distros. – John Smith Optional Jan 21 '20 at 01:10
0
You can use Perl or another language to create a file lock
But, root could kill the process can gain access to the file.
-
1`flock` and `lockf` etc. are just "informative" locks; files which ignore them are not affected by them. – glglgl Aug 01 '13 at 04:29