Stop root from writing to directory


Login or Register for Dates, Times and to Reply

 
Thread Tools Search this Thread
Top Forums UNIX for Advanced & Expert Users Stop root from writing to directory
# 1  
Stop root from writing to directory

Is there a way to stop root from writing to a directory? I already tried chattr but that did not seem to work.

Code:
chattr +i directory


Last edited by Scrutinizer; 11-20-2019 at 02:09 PM.. Reason: code tags please
# 2  
Please do not ask such questions without providing your OS details.
# 3  
Fedora. Sorry.
# 4  
This seem to be working OK for me:

Code:
# cat /etc/fedora-release 
Fedora release 31 (Thirty One)
# mkdir nowrite
# chattr +i nowrite
# cd nowrite
# echo > test
bash: test: Operation not permitted
# cd ..
# rmdir nowrite
rmdir: failed to remove 'nowrite': Operation not permitted
# chattr -i nowrite
# rmdir nowrite

This User Gave Thanks to Chubler_XL For This Post:
# 5  
Note to Original Poster:

You do realize, of course, that when root runs chattr to prohibit writing to a directory, root can also run chattr to permit the same.

So, this method does not stop malicious activity from a user with root privs because root can recursively reverse this using the same chattr command.

You could restrict using chattr and then remove chattr from the system, but that is also not a 'perfect' solution.

The more important question to the original poster is "what are you actually trying to accomplish, why are you doing this and what is the risk profile of the system in question?".

See this post and others like it: Alternative for chattr
# 6  
On a similar topic....

On some servers I manage, I have configured PAM to enable Google Authenticator for certain commands.

For example, on some servers, I have configured PAM to require Google Authenticator for sudo.

So, depending on your risk management profile, you could configure PAM to require Google Authenticator for chattr (or any other command you want to add 2FA) ; and only have one admin with their GA set up (and keep that mobile phone, for example, locked away in safe if you need added security).

Anyway, not to belabor this point; but you can use PAM and GA to add 2FA to just about any command you wish. I use it for sudo, sshd, and others and it works well. When set up this way, even root needs 2FA for access.

Again, depending on your risk management profile, that may be "enough", or it may not be "enough".
This User Gave Thanks to Neo For This Post:
# 7  
Bottom line is you can't prevent root from either doing something on a system or at least acquire the means to do it (as with chattr and similar mechanisms) and do it then. This is necessary because without this amount of freedom root would not be able to function as the systems ultimate administration account.


The usual remedy if you want some file(-space) to be protected from roots tampering is to put it off the server: create an NFS share on some remote server, mount it where you want to be protected from roots access and adjust the rights accordingly. This is the common way of i.e. protecting logs from possible tampering.
Login or Register for Dates, Times and to Reply

Previous Thread | Next Thread
Thread Tools Search this Thread
Search this Thread:
Advanced Search

Test Your Knowledge in Computers #483
Difficulty: Easy
IDEs do not provide automated compile/build features and other tools that make the software development process easier and faster.
True or False?

10 More Discussions You Might Find Interesting

1. Solaris

SunOS confusing root directory and user home directory

Hello, I've just started using a Solaris machine with SunOS 5.10. After the machine is turned on, I open a Console window and at the prompt, if I execute a pwd command, it tells me I'm at my home directory (someone configured "myuser" as default user after init). ... (2 Replies)
Discussion started by: egyassun
2 Replies

2. UNIX for Dummies Questions & Answers

Removing directory with leading hyphen from root directory

I know that this basic question has been asked many times and solutions all over the internet, but none of the are working for me. I have a directory in the root directory, named "-p". # ls -l / total 198 <snip> drwxr-xr-x 4 root root 4096 Dec 3 14:18 opt drwxr-xr-x 2 root ... (2 Replies)
Discussion started by: edstevens
2 Replies

3. What is on Your Mind?

Stop Writing Scripts

Please, I beg you, Stop! Yes, stop writing scripts and instead build workflows. Programmers, Sys-Admins, System Support, Im talking to you. Ok, I know in this community I'm going to get some serious backlash for my statements but I truly believe in my statement. There was a time when... (13 Replies)
Discussion started by: mikemazz
13 Replies

4. Shell Programming and Scripting

Shell script to poll a directory and stop upon an event

Need shell script to: 1/keep polling a directory "receive_dir" irrespective of having files or no files in it. 2/move the files over to another directory "send_dir". 3/the script should only stop polling upon a file "stopfile" get moved to "receive_dir". Thanks !! My script: until do... (0 Replies)
Discussion started by: iaav
0 Replies

5. Shell Programming and Scripting

Writing Script to Copy Newest Directory

I am trying to write a script that once executed it will search within a directory and copy only the newest directory that has not been copied before to a new location. Kind of like what ROBOCOPY /M does in windows? The directories are not left in the new location so using a sync action won't... (2 Replies)
Discussion started by: Keriderf
2 Replies

6. UNIX for Dummies Questions & Answers

How to display only Owner and directory/sub directory names under particular root

hai, I am new to Unix, I have a requirement to display owner name , directory or sub directory name, who's owner name is not equal to "oasitqtc". (here "oasitqtc" is the owner of the directory or sub directory.) i have a command (below) which will display all folders and sub folders, but i... (6 Replies)
Discussion started by: gagan4599
6 Replies

7. Shell Programming and Scripting

stop unix find on a directory structure after finding 1st occurrence

Hi, Has anyone tried to restrict Solaris 10 unix find on a large directory structure based on time to stop running after finding the first occurrence of a matching query. Basically I'm trying to build up a usage map of user workspaces based on file modification (week/month/3 months/year etc) and... (3 Replies)
Discussion started by: jm0221
3 Replies

8. UNIX for Dummies Questions & Answers

how to stop to current directory using find

Hello, I just want to ask the following use of find command: 1. how can I find files only to the current directory? 2. how can I find files to directories and all subdiretories (are this include soft links?) but will not go to other mountpoints that is under that mountpoint. Im combining... (1 Reply)
Discussion started by: james_falco
1 Replies

9. Shell Programming and Scripting

writing script to clean up a directory

I have to do a directory clean up on several machines. The task is as follows: go to a particular directory (cd /xxx) 1. create a directory ' SCRIPTCLEANUP ' ( i KNOW IT) loop through 2. List the directory 3. if directory and start with 'DQA' leave it, 4. if directory or file move it to... (0 Replies)
Discussion started by: ajaya
0 Replies

10. UNIX for Dummies Questions & Answers

What files are writing to a directory

Is there a way to tell what files/scripts are writing/wrote to a given directory? (3 Replies)
Discussion started by: hattorihanzo
3 Replies

Featured Tech Videos