Now in this article I will show you steps to prevent or restrict access of root user to access certain files or directories. Now by default root is the super user who has access to all the files and directories available on the Linux node but it is also possible to restrict even a root user from accessing and modifying the content of a file or directory.

You can restrict root user from accessing and modifying a file or directory using extended file attributes. We will be dealing with chattr and lsattr to achieve this in our demonstration.
Now chattr - change file attributes on a Linux file system,
supports multiple options but we will be concentrating only on the
options which can help restrict root user access on certain files and
directories.

To get the complete list of options supported with chattr you can view the man page of chattr using below command

# man chattr

We will work with two attributes
a:

  • Append text to a file
  • Can’t overwrite

i:

  • Makes a file immutable
  • Can’t be deleted or changed in any way

Create a secret file and directory

Now
before we start we must have a top secret file which needs protection
from root user. I have created a secret_file with below text

[root@node1 ~]# cat /tmp/deepak/secret_file

This is a secret file

Check the assigned attributes

By default when we create a file or directory, it does not has any extended attributes other than “e” which means extent format i.e. these files support extended attributes

[root@node1 ~]# lsattr /tmp/

-------------e-- /tmp/tracker-extract-files.0

-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.7ocUW8.yumtx

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-chronyd.service-FhlC0B

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-bolt.service-2Oomt7

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-rtkit-daemon.service-TEwKlB

-------------e-- /tmp/deepak

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-colord.service-cUfgTm

-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.ZCjaVi.yumtx

-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-cups.service-5yacYU

Restrict access and allow only to append content

Now we will use “+a” to allow root user to append some data to our secret file but root won’t be allowed to overwrite the file.

[root@node1 ~]# chattr +a /tmp/deepak/secret_file

Check the assigned attributes and as you see now we have “a” also assigned to our secret_file

[root@node1 ~]# lsattr /tmp/deepak/

-----a-------e-- /tmp/deepak/secret_file

Next try to append some data to this file

[root@node1 ~]# echo "I am appending some more content" >> /tmp/deepak/secret_file

Looks like it worked as expected, verify the same

[root@node1 ~]# cat /tmp/deepak/secret_file

This is a secret file

I am appending some more content

So, as you see now our secret file has some more content.

Let us try to overwrite the data

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file

-bash: /tmp/deepak/secret_file: Operation not permitted

As expected the extended attributes didn’t allowed me to overwrite the data.

Make the file immutable (restrict all activity)

Now let us make the file immutable so no change at all can be made to this file.

[root@node1 ~]# chattr +i /tmp/deepak/secret_file

Check the applied attributes

[root@node1 ~]# lsattr /tmp/deepak/secret_file

----ia-------e-- /tmp/deepak/secret_file

As you see both “a” and “i” are applied to our secret file but since “i” serves our purpose we do not need “a” here so we will remove the “a” attribute

[root@node1 ~]# chattr -a /tmp/deepak/secret_file

Next verify the applied attributes again

[root@node1 ~]# lsattr /tmp/deepak/secret_file

----i--------e-- /tmp/deepak/secret_file

Next I will try to overwrite the data of this file and will also attempt to remove this file

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file

-bash: /tmp/deepak/secret_file: Permission denied

[root@node1 ~]# rm -f /tmp/deepak/secret_file

rm: cannot remove ‘/tmp/deepak/secret_file’: Operation not permitted

But as you see due to the extended attributes the system does not allows root user to perform any activity on this file.

Instead of file you can also apply these attributes at directory level to protect all the files under the respective directory.

Remove extended attributes

To remove an extended attributes as I also showed in above step use minus sign along with the option

# chattr -a <file/directory>

# chattr -i <file/directory>

Lastly I hope the steps from the article to prevent or restrict root user access on files and directories on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

https://www.golinuxcloud.com/restrict-root-directory-extended-attributes/

How to restrict root user to access or modify a file and directory in Linux的更多相关文章

  1. linux下编译安装MariaDB 10.4.7,解决错误:cannot access ‘/auth_pam_tool_dir’: No such file or directory

    编译安装MariaDB 10.4.7,前面的步骤我就不复述了,一切正常没什么问题. 当执行到:scripts/mysql_install_db --basedir=/usr/local/mysql - ...

  2. python文件和文件夹訪问File and Directory Access

    http://blog.csdn.net/pipisorry/article/details/47907589 os.path - Common pathname manipulations 都是和路 ...

  3. 命令stat anaconda-ks.cfg会显示出文件的三种时间状态(已加粗):Access、Modify、Change。这三种时间的区别将在下面的touch命令中详细详解:

    7.stat命令 stat命令用于查看文件的具体存储信息和时间等信息,格式为"stat 文件名称". stat命令可以用于查看文件的存储信息和时间等信息,命令stat anacon ...

  4. hadoop 异常 ls: Cannot access .: No such file or directory.

    bin/hadoop dfs -lsls: Cannot access .: No such file or directory. bin/hadoop dfs -ls /用这个命令代替试试 原因是格 ...

  5. [转] stat命令输出结果中, Access,Modify,Change的含义

    先建立一个空白文件a.txt 1 [emduser@emd tmp]$ touch a.txt 2   3 [emduser@emd tmp]$ ls -al a.txt 4   5 -rw-rw-r ...

  6. 初次启动hive,解决 ls: cannot access /home/hadoop/spark-2.2.0-bin-hadoop2.6/lib/spark-assembly-*.jar: No such file or directory问题

    >>提君博客原创  http://www.cnblogs.com/tijun/  << 刚刚安装好hive,进行第一次启动 提君博客原创 [hadoop@ltt1 bin]$ ...

  7. /dev/root: No such file or directory

    /*************************************************************************** * /dev/root: No such fi ...

  8. qemu 出现Could not access KVM kernel module: No such file or directory failed to initialize KVM: No such file or directory

    使用qemu命令 qemu-system-x86_64 -hda image/ubuntu-test.img -cdrom ubuntu-16.04.2-server-amd64.iso -m 102 ...

  9. 使用PuTTY软件远程登录root被拒:access denied

    PuTTY是一个Telnet.SSH.rlogin.纯TCP以及串行接口连接软件. 使用PuTTY软件远程登录root时,提示:ACCESS DENIED,很有可能是由sshd的默认配置造成的. 可以 ...

随机推荐

  1. 数据库路由中间件MyCat - 源代码篇(17)

    此文已由作者张镐薪授权网易云社区发布. 欢迎访问网易云社区,了解更多网易技术产品运营经验. 调用processInsert(sc,schema,sqlType,origSQL,tableName,pr ...

  2. 我也来Show一下我的VisualStudio2017

    1.首先,在微软官方网站下载VS2017的安装程序,后续的安装将通过这个安装程序来引导.这里有三个版本可供选择:社区版.专业版和企业版,社区版免费,专业版和企业版可以免费体验,之后收费,当然,在中国盗 ...

  3. ue4 tags 与 cast

    父类设置tags,子类默认自动添加这个tags 子类可以强行删除父类的tags,这时如果把子类cast为父类,一样找不到这个tags 综上,要找到一个actor的tags,那么这个actor上就一定要 ...

  4. Android Studio如何导出可供Unity使用的aar插件详解

    http://www.cnblogs.com/xtqqkss/p/6387271.html 前言 项目之前使用Eclipse导出的jar文件来做与Android交互,最近因为工作需要需使用Androi ...

  5. 2014-11-2 NOIP模拟赛1

    Noip2009 团结模拟赛如题目理解困难,请自行阅读或参考样例.内存限制均为 256MB,时间限制均为 1s.出题人不会 故意 在题目中设置陷阱,但请自己注意程序的正确性.IO 文件名(.in/.o ...

  6. 在Mybatis中处理sql中的大于号小于号

    因为xml格式中,不能随便出现"<".“>”等符号,所以在sql中这一类的符号要进行特殊处理 第一种方法:使用转义字符替换特殊的符号 例如 SELECT * FROM ...

  7. 剑指Offer的学习笔记(C#篇)-- 整数中1出现的次数(从1到n整数中1出现的次数)

    题目描述 求出1~13的整数中1出现的次数,并算出100~1300的整数中1出现的次数?为此他特别数了一下1~13中包含1的数字有1.10.11.12.13因此共出现6次,但是对于后面问题他就没辙了. ...

  8. java.exe is valid, but is for a machine type other than the current machine

    java.exe is valid, but is for a machine type other than the current machine jdk版本不一致问题,在32位机器上使用64位的 ...

  9. 在线获取键盘按键值(ascii码)工具

    在线获取键盘按键值(ascii码)工具 http://www.bejson.com/othertools/keycodes/ 可以根据输入的值获取对应的键盘ascii码值

  10. GYM 101933K(二项式反演、排列组合)

    方法一 设\(f_i\)为最多使用\(i\)种颜色的涂色方案,\(g_i\)为恰好只使用\(i\)种颜色的涂色方案.可知此题答案为\(g_k\). 根据排列组合的知识不难得到\(f_k = \sum_ ...