deny deleting a file for users.. trying a solution

From: Sandra Hernandez (sandra_at_fib.upc.es)
Date: 06/02/03

  • Next message: Petty, Robert: "RE: Linux firewall/IDS/NAT suggestions"
    Date: Mon, 02 Jun 2003 19:50:55 +0200
    To: focus-linux@securityfocus.com
    
    

    First of all, thank you very much for all the responses..

    I'll try to resume what I have tested..
    First of all, a brief description of the problem: I want to make the file mbox
    undeletable for users (but users still can remove,add,modify data in file), and this
    file is into $HOME/nsmail directory.

    1) I've tried with chattr, but option +i or +a applied to the file presents some
    problems when users tries to delete part of the data (in this case when want to
    delete a mail). I've tried to apply chattr to directory, but then the user can't
    create new mailboxes (draft,sent,...)

    2) The case to change permissions was complicated because the directory nsmail is in
    the HOME directory of the user so it's owned by him/herself not root. But finally, I
    think it's a good solution, because user can modify data in file, but can't delete
    mbox and it isn't very complicated (because users can access via
    samba,ssh,webmail,..). It has only one problem if user knows about chmod and chown
    can change permissions of directory because is in his/her HOME (obviouslly owned by
    the user) but normally they don't know about this commands.
    Well, permissions of files and directories are:

     In $HOME:

             rwxr-x--- user:user_group .
             rwxrwxr-t root:user_group nsmail
             rw-rw---- root:user_group nsmail/mbox
             rw-rw---- user:user_group nsmail/sent
             rw-rw---- user:user_group nsmail/drafts
                    ...

    Perhaps, it's the best option, while chattr +u is not implemented in kernel..

    Thank you very much!

    Sandra

    PD: We are going to continuing making backups every night ;o)


  • Next message: Petty, Robert: "RE: Linux firewall/IDS/NAT suggestions"

    Relevant Pages