Stop root from writing to directory


 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Stop root from writing to directory
# 8  
Old 11-21-2019
Quote:
Originally Posted by foad

....

The usual remedy if you want some file(-space) to be protected from roots tampering is to put it off the server: create an NFS share on some remote server, mount it where you want to be protected from roots access and adjust the rights accordingly. This is the common way of i.e. protecting logs from possible tampering.
Let me correct your words here.

This is not a "usual remedy", but it is one technical control in wide a range of possible technical controls based on the risk profile of the server.

I don't have a lot of time to write a long reply, so let me summarize:

Security is defined, generally, in three areas (1) confidentiality, (2) integrity and (3) availability.

The original poster has not defined which of these are the most critical to their organization / application / server.

For example, the application on this server may be less interested in file integrity than high availability. If that is the case, then having a network mounted device may not provide the insured availability because networks can fail, wires can break, network devices can go down, even unplugged, etc. In one datacenter I worked, I watched a major device fail because a manager rolled his chair (sitting in the chair) over a LAN cable while talking to the team.

Anyway, it is important, when talking about IT security to talk about the risk and define the risk profile; because what is correct for one application / server may not be the best for another; and the controls: (1) techincal,(2) administration and (3) physical.

More later, if this thread gains any traction.
# 9  
Old 11-21-2019
I had the same question some weeks ago. If you really want to restrict root from accessing certain files, SELinux is probably a working way to go. But the high complexity to configure this and the additional overhead it produces(how to backup/recover if root has no access?, ... ) drove me quickly away from starting to go in that direction.

And the question stays: what are you actually trying to accomplish, why are you doing this and what is the risk profile of the system in question?".
# 10  
Old 11-21-2019
The true mark of an IT security professional is one who understands that IT security controls are based on the risk management profile of the system; and that these IT security controls can be any combination of three types of controls.

Risk Management ... is founded on the Intersection of:

(1) Threat, (2) Vulnerability and (3) Criticality.

Type of Controls:

(1) Administrative, (2) Physical and (3) Technical.

In the content of the IT security requirements (part of the risk profile).

(1) Confidentiality, (2) Availability and (3) Integrity.

In this post, the original poster has not provided any basic IT security information (above). All risk management profiles are different and require an approach based on the risk profile; and the choice of controls follow the risk profile.
# 11  
Old 11-27-2019
Quote:
Originally Posted by Neo
Note to Original Poster:

You do realize, of course, that when root runs chattr to prohibit writing to a directory, root can also run chattr to permit the same.

So, this method does not stop malicious activity from a user with root privs because root can recursively reverse this using the same chattr command.

You could restrict using chattr and then remove chattr from the system, but that is also not a 'perfect' solution.

The more important question to the original poster is "what are you actually trying to accomplish, why are you doing this and what is the risk profile of the system in question?".

See this post and others like it: Alternative for chattr
I have a VERY annoying and poorly written app that has to be run as root and I am not allowed to get rid of, that will not stop writing to a directory and filling up the file system. When this filesystem fills up it prevents people from logging in through ssh then I have login to the console to fix this. This is also an old server that I can can extent the file system because it does not have lvm.
# 12  
Old 11-27-2019
This is a trivial problem to solve without any necessity to tinker with root permissions, etc.

So, when I have this kind of problem (and I have seen the kind of problem often), I would just remove the directory that your process is trying to write to. Problem solved.

In the next case:

If the process writes to a directory you do not want to remove because other processes write to the same directory and you don't want to reconfigure other processes to write to a different directory, then I would just create a crontab file which runs often and deletes the files you want deleted.

In the case where the file name of the log is the same, then just link the name of that file to /dev/null and problem solved. No need for a cron process..

In other words, there are many ways to solve this simple annoying problem.. These are but a few ways to do it.

This is also an example of why it is best, by far, to get people who post here at unix.com to describe the exact problem they are trying to solve, generally speaking.
# 13  
Old 11-28-2019
What do you do to manually clean up?
If you have a general working sequence of commands then you can put them into a shell script.
If the script has successfully run several times, then the ultimate step is to regularly run it from crontab.
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Solaris

SunOS confusing root directory and user home directory

Hello, I've just started using a Solaris machine with SunOS 5.10. After the machine is turned on, I open a Console window and at the prompt, if I execute a pwd command, it tells me I'm at my home directory (someone configured "myuser" as default user after init). ... (2 Replies)
Discussion started by: egyassun
2 Replies

2. UNIX for Dummies Questions & Answers

Removing directory with leading hyphen from root directory

I know that this basic question has been asked many times and solutions all over the internet, but none of the are working for me. I have a directory in the root directory, named "-p". # ls -l / total 198 <snip> drwxr-xr-x 4 root root 4096 Dec 3 14:18 opt drwxr-xr-x 2 root ... (2 Replies)
Discussion started by: edstevens
2 Replies

3. What is on Your Mind?

Stop Writing Scripts

Please, I beg you, “Stop!” Yes, stop writing scripts and instead build workflows. Programmers, Sys-Admins, System Support, I'm talking to you. Ok, I know in this community I'm going to get some serious backlash for my statements but I truly believe in my statement. There was a time when... (13 Replies)
Discussion started by: mikemazz
13 Replies

4. Shell Programming and Scripting

Shell script to poll a directory and stop upon an event

Need shell script to: 1/keep polling a directory "receive_dir" irrespective of having files or no files in it. 2/move the files over to another directory "send_dir". 3/the script should only stop polling upon a file "stopfile" get moved to "receive_dir". Thanks !! My script: until do... (0 Replies)
Discussion started by: iaav
0 Replies

5. Shell Programming and Scripting

Writing Script to Copy Newest Directory

I am trying to write a script that once executed it will search within a directory and copy only the newest directory that has not been copied before to a new location. Kind of like what ROBOCOPY /M does in windows? The directories are not left in the new location so using a sync action won't... (2 Replies)
Discussion started by: Keriderf
2 Replies

6. UNIX for Dummies Questions & Answers

How to display only Owner and directory/sub directory names under particular root

hai, I am new to Unix, I have a requirement to display owner name , directory or sub directory name, who's owner name is not equal to "oasitqtc". (here "oasitqtc" is the owner of the directory or sub directory.) i have a command (below) which will display all folders and sub folders, but i... (6 Replies)
Discussion started by: gagan4599
6 Replies

7. Shell Programming and Scripting

stop unix find on a directory structure after finding 1st occurrence

Hi, Has anyone tried to restrict Solaris 10 unix find on a large directory structure based on time to stop running after finding the first occurrence of a matching query. Basically I'm trying to build up a usage map of user workspaces based on file modification (week/month/3 months/year etc) and... (3 Replies)
Discussion started by: jm0221
3 Replies

8. UNIX for Dummies Questions & Answers

how to stop to current directory using find

Hello, I just want to ask the following use of find command: 1. how can I find files only to the current directory? 2. how can I find files to directories and all subdiretories (are this include soft links?) but will not go to other mountpoints that is under that mountpoint. Im combining... (1 Reply)
Discussion started by: james_falco
1 Replies

9. Shell Programming and Scripting

writing script to clean up a directory

I have to do a directory clean up on several machines. The task is as follows: go to a particular directory (cd /xxx) 1. create a directory ' SCRIPTCLEANUP ' ( i KNOW IT) loop through 2. List the directory 3. if directory and start with 'DQA' leave it, 4. if directory or file move it to... (0 Replies)
Discussion started by: ajaya
0 Replies

10. UNIX for Dummies Questions & Answers

What files are writing to a directory

Is there a way to tell what files/scripts are writing/wrote to a given directory? (3 Replies)
Discussion started by: hattorihanzo
3 Replies
Login or Register to Ask a Question