Re: deny deleting a file for users

From: Brian Hatch (focus-linux_at_ifokr.org)
Date: 05/31/03

  • Next message: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
    Date: Fri, 30 May 2003 16:31:03 -0700
    To: Sandra Hernandez <sandra@fib.upc.es>
    
    
    

    > I would like to know if there exist any way to deny deleting a file for a
    > user, but allow this user accessing, removing parts of this file or append
    > text?

    > We have problems in our systems because some users delete theirs own
    > nsmail file without notice what they are doing.

    chattr can be used to make a file immutable, but that prevents you from
    making any changes. Likewise you could make it openable in append mode
    only, but that prevents you from making changes to the existing bits
    of the file.

    The best thing I can come up with, without kernel mods or LKMs, would be
    to write a program that, as root, opens up in read mode all these files
    you don't want deleted, and then goes to sleep forever. It will have an
    open file descriptor, so when the user accidentally deletes the file,
    you can still get it back by copying it out of the /proc entry for the
    root "open all files" process, ala

            cp /proc/PID/fd/APPROPRIATE_FD /home/idiot/nsmail

    However this is a horrible kludge. I suggest that you take good backups
    and make them available to the users who delete their files by mistake.
    Or, let them feel the pain a few times until they stop doing it.

    --
    Brian Hatch                  Thou shalt not compose
       Systems and               limericks at a funeral.
       Security Engineer
    www.hackinglinuxexposed.com
    Every message PGP signed
    
    



  • Next message: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"