Re: deny deleting a file for users

From: Brian Hatch (focus-linux_at_ifokr.org)
Date: 05/31/03

  • Next message: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"
    Date: Fri, 30 May 2003 16:31:03 -0700
    To: Sandra Hernandez <sandra@fib.upc.es>
    
    
    

    > I would like to know if there exist any way to deny deleting a file for a
    > user, but allow this user accessing, removing parts of this file or append
    > text?

    > We have problems in our systems because some users delete theirs own
    > nsmail file without notice what they are doing.

    chattr can be used to make a file immutable, but that prevents you from
    making any changes. Likewise you could make it openable in append mode
    only, but that prevents you from making changes to the existing bits
    of the file.

    The best thing I can come up with, without kernel mods or LKMs, would be
    to write a program that, as root, opens up in read mode all these files
    you don't want deleted, and then goes to sleep forever. It will have an
    open file descriptor, so when the user accidentally deletes the file,
    you can still get it back by copying it out of the /proc entry for the
    root "open all files" process, ala

            cp /proc/PID/fd/APPROPRIATE_FD /home/idiot/nsmail

    However this is a horrible kludge. I suggest that you take good backups
    and make them available to the users who delete their files by mistake.
    Or, let them feel the pain a few times until they stop doing it.

    --
    Brian Hatch                  Thou shalt not compose
       Systems and               limericks at a funeral.
       Security Engineer
    www.hackinglinuxexposed.com
    Every message PGP signed
    
    



  • Next message: Scott Gifford: "Re: Linux firewall/IDS/NAT suggestions"

    Relevant Pages

    • Re: Exception handling?
      ... How do you append if it isn't opened in Write mode? ... FileShare mode for other thread/process instances. ... Joe, StreamWriter opens the file with Write access (duh, it is called ... and prevents other processes from simultaneously writing to it by ...
      (microsoft.public.vc.mfc)
    • Re: Two simultaneous write accesses to a text file
      ... Malcolm Dew-Jones wrote: ... :> HOWEVER that only helps with simple text files where you can append things ... If there is buffering, ... The file is opened in append mode. ...
      (comp.lang.php)
    • Re: fopen() questions
      ... fopendoesn't write anything to the file; that requires a separate ... So if I open the file in append mode and then start writing to it, ... fopen modes are a mess, ...
      (comp.lang.c)
    • Re: Exception handling?
      ... opens the file in FileShare.Read mode only. ... How do you append if it isn't opened in Write mode? ... FileShare mode for other thread/process instances. ... and prevents other processes from simultaneously writing to it by using Fileshare::Read. ...
      (microsoft.public.vc.mfc)
    • Re: Measuring output impedance in LTSpice
      ... That's why I said that, unfortunately, Thunderbird does not seem ... (regardless of inline or attachment disposition), but if I try to open ... them with scad3.exe LTSpice opens them both as ... So there's another set-up issue, save as TYPE, but don't append ...
      (sci.electronics.design)