Now in this article I will show you steps to prevent or restrict access of root user to access certain files or directories. Now by default root is the super user who has access to all the files and directories available on the Linux node but it is also possible to restrict even a root user from accessing and modifying the content of a file or directory.

You can restrict root user from accessing and modifying a file or directory using extended file attributes. We will be dealing with chattr and lsattr to achieve this in our demonstration.
Now chattr - change file attributes on a Linux file system,
supports multiple options but we will be concentrating only on the
options which can help restrict root user access on certain files and
directories.

To get the complete list of options supported with chattr you can view the man page of chattr using below command

# man chattr

We will work with two attributes
a:

  • Append text to a file
  • Can’t overwrite

i:

  • Makes a file immutable
  • Can’t be deleted or changed in any way

Create a secret file and directory

Now
before we start we must have a top secret file which needs protection
from root user. I have created a secret_file with below text

[root@node1 ~]# cat /tmp/deepak/secret_file

This is a secret file

Check the assigned attributes

By default when we create a file or directory, it does not has any extended attributes other than “e” which means extent format i.e. these files support extended attributes

[root@node1 ~]# lsattr /tmp/

-------------e-- /tmp/tracker-extract-files.0

-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.7ocUW8.yumtx

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-chronyd.service-FhlC0B

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-bolt.service-2Oomt7

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-rtkit-daemon.service-TEwKlB

-------------e-- /tmp/deepak

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-colord.service-cUfgTm

-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.ZCjaVi.yumtx

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-cups.service-5yacYU

Restrict access and allow only to append content

Now we will use “+a” to allow root user to append some data to our secret file but root won’t be allowed to overwrite the file.

[root@node1 ~]# chattr +a /tmp/deepak/secret_file

Check the assigned attributes and as you see now we have “a” also assigned to our secret_file

[root@node1 ~]# lsattr /tmp/deepak/

-----a-------e-- /tmp/deepak/secret_file

Next try to append some data to this file

[root@node1 ~]# echo "I am appending some more content" >> /tmp/deepak/secret_file

Looks like it worked as expected, verify the same

[root@node1 ~]# cat /tmp/deepak/secret_file

This is a secret file

I am appending some more content

So, as you see now our secret file has some more content.

Let us try to overwrite the data

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file

-bash: /tmp/deepak/secret_file: Operation not permitted

As expected the extended attributes didn’t allowed me to overwrite the data.

Make the file immutable (restrict all activity)

Now let us make the file immutable so no change at all can be made to this file.

[root@node1 ~]# chattr +i /tmp/deepak/secret_file

Check the applied attributes

[root@node1 ~]# lsattr /tmp/deepak/secret_file

----ia-------e-- /tmp/deepak/secret_file

As you see both “a” and “i” are applied to our secret file but since “i” serves our purpose we do not need “a” here so we will remove the “a” attribute

[root@node1 ~]# chattr -a /tmp/deepak/secret_file

Next verify the applied attributes again

[root@node1 ~]# lsattr /tmp/deepak/secret_file

----i--------e-- /tmp/deepak/secret_file

Next I will try to overwrite the data of this file and will also attempt to remove this file

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file

-bash: /tmp/deepak/secret_file: Permission denied

[root@node1 ~]# rm -f /tmp/deepak/secret_file

rm: cannot remove ‘/tmp/deepak/secret_file’: Operation not permitted

But as you see due to the extended attributes the system does not allows root user to perform any activity on this file.

Instead of file you can also apply these attributes at directory level to protect all the files under the respective directory.

Remove extended attributes

To remove an extended attributes as I also showed in above step use minus sign along with the option

# chattr -a <file/directory>

# chattr -i <file/directory>

Lastly I hope the steps from the article to prevent or restrict root user access on files and directories on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

https://www.golinuxcloud.com/restrict-root-directory-extended-attributes/

How to restrict root user to access or modify a file and directory in Linux的更多相关文章

  1. linux下编译安装MariaDB 10.4.7,解决错误:cannot access ‘/auth_pam_tool_dir’: No such file or directory

    编译安装MariaDB 10.4.7,前面的步骤我就不复述了,一切正常没什么问题. 当执行到:scripts/mysql_install_db --basedir=/usr/local/mysql - ...

  2. python文件和文件夹訪问File and Directory Access

    http://blog.csdn.net/pipisorry/article/details/47907589 os.path - Common pathname manipulations 都是和路 ...

  3. 命令stat anaconda-ks.cfg会显示出文件的三种时间状态(已加粗):Access、Modify、Change。这三种时间的区别将在下面的touch命令中详细详解:

    7.stat命令 stat命令用于查看文件的具体存储信息和时间等信息,格式为"stat 文件名称". stat命令可以用于查看文件的存储信息和时间等信息,命令stat anacon ...

  4. hadoop 异常 ls: Cannot access .: No such file or directory.

    bin/hadoop dfs -lsls: Cannot access .: No such file or directory. bin/hadoop dfs -ls /用这个命令代替试试 原因是格 ...

  5. [转] stat命令输出结果中, Access,Modify,Change的含义

    先建立一个空白文件a.txt 1 [emduser@emd tmp]$ touch a.txt 2   3 [emduser@emd tmp]$ ls -al a.txt 4   5 -rw-rw-r ...

  6. 初次启动hive,解决 ls: cannot access /home/hadoop/spark-2.2.0-bin-hadoop2.6/lib/spark-assembly-*.jar: No such file or directory问题

    >>提君博客原创  http://www.cnblogs.com/tijun/  << 刚刚安装好hive,进行第一次启动 提君博客原创 [hadoop@ltt1 bin]$ ...

  7. /dev/root: No such file or directory

    /*************************************************************************** * /dev/root: No such fi ...

  8. qemu 出现Could not access KVM kernel module: No such file or directory failed to initialize KVM: No such file or directory

    使用qemu命令 qemu-system-x86_64 -hda image/ubuntu-test.img -cdrom ubuntu-16.04.2-server-amd64.iso -m 102 ...

  9. 使用PuTTY软件远程登录root被拒:access denied

    PuTTY是一个Telnet.SSH.rlogin.纯TCP以及串行接口连接软件. 使用PuTTY软件远程登录root时,提示:ACCESS DENIED,很有可能是由sshd的默认配置造成的. 可以 ...

随机推荐

  1. 深度卷积网络-Inception系列

    目录 1. Inception V1 1.1 Inception module 2. Inception V2 3. Inception V3 4. Inception V4, Inception-R ...

  2. 洛谷P1074 靶形数独(跳舞链)

    传送门 坑着,等联赛之后再填(联赛挂了就不填了233) //minamoto #include<iostream> #include<cstdio> #include<c ...

  3. 解决Idea项目启动报错:程序包javax.servlet.http不存在

    报错信息 在没有使用maven的时候,web项目从远程仓库获取下以后,起一次启动往往会报错javax.servlet.http程序包找不到,随之而来的java基础包都将不能使用,报错信息如下: 解决方 ...

  4. Spark系列视频

    大数据生态圈很大,很多开发者都仅仅接触到某个单一产品. Spark 是近年来比较流行的大数据计算框架,系统.平台要想用好Spark 这个产品,需要用到很多的产品. 本视频系列主要是为准备入坑大数据的童 ...

  5. HttpClient 应用案例揭破应用Discuss论坛登录

    闲来无事,写了一个对discuss论坛登录的案例,初次上场按照以前的惯例没成功,见过抓包分析discuss论坛成功完成,废话不多说 直接上代码. 1:winform 做客户端,添加HttpClient ...

  6. spingmvc实现在程序启动时调用数据库数据

    直接上代码: package com.java.zxf.servlet; import java.text.ParseException; import java.text.SimpleDateFor ...

  7. C++文件操作方法小结

    - 获取文件句柄 - fopen, fclose fopen(filename, opentype): 按照opentype的方式打开指定文件,打开失败返回NULL,否则返回文件句柄. 打开类型的属性 ...

  8. D. Array Division

    http://codeforces.com/contest/808/problem/D 一开始是没什么想法的,然后回顾下自己想题的思路,慢慢就想出来了.首先要找到是否有这样的一个位置使得: 前缀和 = ...

  9. 看懂物联网fr

        看懂物联网 2015-10-11 物联网世界 1.第三次IT浪潮 互联网时代的特征是信息驱动了生产力,无论众包.订单式生产这些理论:还是B2C.O2O各类业务模式:归根结底,是信息优化了生产关 ...

  10. 点权生成树(gentree)

    点权生成树(gentree) 题目背景 Awson是某国际学校信竞组的一只菜鸡.终于弄明白边权最小生成树后,然而又被大神嘲笑了.大神深邃的眼光中透露了些睿智,说道:“你会求点权最小生成树么?”Awso ...