1

Hello all I have some very important system files which I want to protect from accidental deletion even by root user. I can create a new partition for that and mount it with readonly access but the problem is that I want my application which handles those system files to have write access to that part and be able to modify them. Is that possible using VFS? As VFS handles access to the files I could have a module inserted in the VFS layer which can see if there is a write access to that part then see the authorization and allow it or otherwise reject it. If not please provide me suggestions regarding how can such a system be implemented what would I need in that case. If there exists a system like this please suggest about them also. I am using linux and want to implement this in C, I think it would be possible in C only.

Edit: There are such kind of programs implemented in windows which can restrict access to administrator even, to some important folders, would that be possible in linux? My application is a system backup and restore program which needs to keep its backup information safe and secure. So I would like to have a secured part of a partition which could not be accidently deleted in any way. There are methods of locking a flashdrive can we use some of those methods for locking a partition in linux also ? so that mount is password protected ? I am not writing a virus application, my application would give user option to delete the backups but I don't wanna allow them to be deleted by any other application. Edit: I am writing a system restore and backup program for ubuntu, I am a computer engineering student.

Edit: As I have got opinion from Basile Starynkevitch that I would be committing worst sin of programming if I do anything like this, but you could provide me suggestions considering this as a experimental project, I could make some changes in the VFS layer so that this could work.

Chris Gerken
  • 16,221
  • 6
  • 44
  • 59
gaurav
  • 872
  • 2
  • 10
  • 25
  • Why don't you trust those having `root` access? – Basile Starynkevitch Nov 29 '11 at 17:20
  • sometimes an application running under root access can accidently overwrite those system files. Those files are much more important. That's why I want to protect their modification. If that could be prevented with something like checking some other way of authentication.Or I could use direct access to raw partition – gaurav Nov 29 '11 at 17:29
  • 1
    No: `root` is the owner of the machine. He has the right to wipe any data on his machine. – Basile Starynkevitch Nov 29 '11 at 17:29
  • 1
    How about running the system in a virtual machine that only has read-only access to the important data? – user786653 Nov 29 '11 at 17:34
  • @BasileStarynkevitch: Yes I agree with that but some applications need to protect their data with accidental access. Like in windows there are folders like systemvolumeinformation which could not be accessed even with administrator access. Is that possible in linux also ? – gaurav Nov 29 '11 at 17:36
  • @user786653: I want this system in current running system, virtual machine won't solve that purpose. – gaurav Nov 29 '11 at 17:38
  • Have you heard of root squashing? (Edit - you would need to have the data on an nfs mount to use this) – dbeer Nov 29 '11 at 17:45
  • @dbeer: Sorry I had not heard of it, I searched about it and I like the idea, But its there for NFS not for local filesystems ? How can I do that on local system ? – gaurav Nov 29 '11 at 17:49
  • @dbeer: Ok, I need to use NFS for that so that root is not root there, i think I can mount a local filesystem in nFS mode, if thats possible may be I could do that I will see that. – gaurav Nov 29 '11 at 17:57
  • I posted a little bit more information about it in the form of an answer. – dbeer Nov 29 '11 at 18:38
  • "chmod 0 the_file" will probably do what you want. Or chmod 100 if it needs to remain executable by root. – wildplasser Nov 30 '11 at 12:28
  • @wildplasser : I know this and I think chattr is a better idea. – gaurav Nov 30 '11 at 13:32
  • Sorry if I misunderstood. Your requirements just seem silly to me. Since you appear to want to create a "backup&restore program": against whom do you want to protect your data: the backup/restore program itself, or a "malicious user"? – wildplasser Nov 30 '11 at 13:48
  • @wildplasser : Thanks for your reply, yes it might seem silly, i want to protect data from malicious user having root permission and accidental deletion too, i think i can handle latter with chattr but i need to deal with former one, if you could provide me some suggestion regarding that , it would be really a great help. – gaurav Nov 30 '11 at 14:30

3 Answers3

2

You could use chattr, e.g. 

chattr +i yourfile

But I don't think it is a good thing to do that. People using root access are expected to be careful. Those having root access can still issue the command undoing the above.

There is no way to forbid people having root access, or people having physical access to the computer, to access, remove, change your file, if they really want to (they could update & hack the kernel, for instance). Read more about trusted compute base

And I believe it is even unethical (and perhaps illegal, in some countries) to want to do that. I own my PC, and I don't understand why you should disallow me to change some data on it, because I happened to install some software.

By definition of root on Linux, it can do anything... You won't be able to prohibit him to erase or alter data... People with root access can write arbitrary bytes at arbitrary places on the disk.

And on a machine that I own (or perhaps just have physical access to), I will, thanks God, always be able to remove a file (even under Windows: I could for example boot a Linux CDROM and remove the file from Linux accessing an NTFS, and then reboot the Windows...).

So I think you should not bother and take even a minute to find out how to make root altering your precious files more difficult. Leave them as other root files...

PHILOSOPHICAL RANT

The unix philosophy has always been to trust the system administrator (while protecting newbie users from mistakes), that is the root user. The root is able to do anything (this is why people avoid being root, even on a personal machine). There have never been strong features to prohibit root doing mistakes, because the system administrator is expected to know well the system, and is trusted.

And Unix sysadmins understand this fact: it is part of their culture. (This is probably in contrast with Windows administration culture). They know when to be careful, they don't expect software to prevent mistakes as root.

Basile Starynkevitch
  • 223,805
  • 18
  • 296
  • 547
  • Thanks for your quick reply, I didn't know about this, I will try this. Yes thats true but I need to allow only my application to access that part, none other application even with root access should be able to modify those files would that be possible ? – gaurav Nov 29 '11 at 17:17
  • It does not prevent the root to access your file (since root can always run `chattr -i yourfile` to undo the above command). It just makes that a little harder, and much less comfortable. Again, it is a bad idea... Trust the people having `root` access (you have to anyway, because they are able to overwrite the kernel!!). – Basile Starynkevitch Nov 29 '11 at 17:19
  • Ok yes thats the problem , most of the internal settings cannot prevent root access. Yes you are right but sometimes an application running under root access can accidently overwrite those system files. That's why I want to protect their modification. If that could be prevented with something like checking some other way of authentication. – gaurav Nov 29 '11 at 17:25
  • If something under `root` priviledge overwrite these files, it is the responsability of the person having `root` access, and it is not your business to interfere with it. – Basile Starynkevitch Nov 29 '11 at 17:28
  • Ok I agree with you regarding the user permissions that root should be allowed to erase whaterver he can. But still I could provide a really tough barrier like a kernel module which could prevent the access to those files and hence he can't delete them unless he unloads the module or formats the disk. Would that be possible in linux ? – gaurav Nov 29 '11 at 17:42
  • No, because root is able to install his own patched kernel. You forgot that he is *owning the machine*. If you want to own it, buy it (and then the problem goes away, you've got full control). – Basile Starynkevitch Nov 29 '11 at 17:46
  • I am totally agree with you, actually I am not able to explain it to you what I want, Actually if I say the root itself wants that he is not able to damage those files, for their own benefit but they could accidently run some programs by mistake and those damaged the data, ofcourse they could also damage the whole partition table !! but just now we think of only those system files, so he wants that there could be a barrier that prevents him from accidently deleting those files, he could use my application or another patched kernel to damage those files, but a – gaurav Nov 29 '11 at 17:54
  • malicious application doesn't know about that, so this could safely protect those files from being damaged, this could seem senseless to you that those filse could actually be deleted anyways but still i need to know about any such method if that's really possible. – gaurav Nov 29 '11 at 17:55
  • 1
    @gaurav and in those cases you just use `chattr +i` The barrier is then that the malicious root needs to know it must run chattr -i in order to damage the files. It's simple and effective, it doesn't protect you 100%, but nothing will. – nos Nov 29 '11 at 18:41
  • @nos: Thanks for your suggestion, I will go for this if I couldn't find anything better . – gaurav Nov 30 '11 at 12:24
1

In order to use root squashing (which makes it so that root can't even see files for a local user) you can set up a local nfs. This forum page explains how to mount an nfs locally. The command is:

mount -t nfs nameofcomputer:/directory_on_that_machine /directory_you_should_have_already_created

nfs has root squashing enabled by default, which should solve your problem. From there, you just make sure your program stores its files on the nfs mount.

dbeer
  • 6,963
  • 3
  • 31
  • 47
1

Sounds to me like you're trying to write a virus.

No doubt you will disagree.

But I'm willing to bet the poor people that install your software will feel like it's a virus, because it will be behaving like one by making itself hard to remove.

Simply setting r/w flags should suffice for anything else.

mac
  • 11
  • 1
  • Actually it will be quite easy to remove those files, my application would be giving options for that, but it won't allow any other program to delete its files. – gaurav Nov 30 '11 at 12:23
  • @gaurav: what you are doing is highly controversial (and IMHO useless). Please at least document clearly that you are doing unusual things, and document the `chattr` command. I feel you are wrong in doing this (because, as I explained many times, `root` is owning the machine, and should be trusted more than your application). – Basile Starynkevitch Nov 30 '11 at 12:29
  • @mac: I fully agree with your position. What gaurav is doing is percieved as being a malicious virus (even if he believes he knows better than his users). I hope I will never have to install his software... – Basile Starynkevitch Nov 30 '11 at 12:41
  • @gaurav: could you please tell us what kind of software are you coding, and for what company are you writing it. If it is some driver for some hardware, I want to be sure I will never buy it. – Basile Starynkevitch Nov 30 '11 at 12:48
  • @BasileStarynkevitch : Ok I agree with you, I won't be doing anything like that, but still if you could be kind enough to suggest me something like flash drive protection so that it could be protected from unauthorised access. – gaurav Nov 30 '11 at 12:52
  • @BasileStarynkevitch Please see my edited question, I am working on an open source project as part of my computer engineering course, my guide under whom I am working is very much interested in keeping the backup extra secure so I wanted to know if any such method exists. – gaurav Nov 30 '11 at 12:56
  • @BasileStarynkevitch: Its an experimental project and I haven't decided its name yet and I won't be releasing that, so you need not worry about never installing it, thanks for your encouragement. – gaurav Nov 30 '11 at 13:03
  • @gaurav: I added a philosophical rant in my answer. What you are doing is totally against expectations (and is useless, because other parts of the system trust `root`). – Basile Starynkevitch Nov 30 '11 at 15:02