How do I make a file NOT modifiable?

by

While logged in, I can do the following:

mkdir foo
touch foo/bar
chmod 400 foo/bar 
chmod 500 foo

Then I can open vim (not as root), edit bar, force a write with w!, and the file is modified.

How can I make the operating system disallow any file modification?

UPDATE Mar 02 2017

  1. chmod 500 foo is a red herring: the write permission on a directory has nothing to do with the ability to modify a file’s contents–only the ability to create and delete files.
  2. chmod 400 foo/bar does in fact prevent the file’s contents from being changed. But, it does not prevent a file’s permissions from being changed–a file’s owner can always change his file’s permissions (assuming they can access the file i.e. execute permission on all ancestor directories). In fact, strace(1) reveals that this is what vim (7.4.576 Debian Jessie) is doing–vim calls chmod(2) to temporarily add the write permission for the file’s owner, modifies the file, and then calls chmod(2) again to remove the write permission. That is why using chattr +i works–only root can call chattr -i. Theoretically, vim (or any program) could do the same thing with chattr as it does with chmod on an immutable file if run as root.
Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

You can set the “immutable” attribute with most filesystems in Linux.

chattr +i foo/bar

To remove the immutable attribute, you use - instead of +:

chattr -i foo/bar

To see the current attributes for a file, you can use lsattr:

lsattr foo/bar

The chattr(1) manpage provides a description of all the available attributes. Here is the description for i:

   A  file with the `i' attribute cannot be modified: it cannot be deleted
   or renamed, no link can be created to this file  and  no  data  can  be
   written  to  the  file.  Only the superuser or a process possessing the
   CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Method 2

You can:

  1. Change the file owner to root or a dummy newly created user
  2. Keep the correct group.
  3. Use chmod 440 to allow reading by group (which is you).

If the correct user is not the only one in this group, you should create a new group and add only him in it, and use this group for it. However, you are not the owner of the file, therefore your vi cannot change the file owner.

Method 3

To make an entire directory tree read-only:

cd <directory>
find ./ -print0 | sudo xargs -I {} -0 chattr +i {}

To make it readable again, change +i to -i.


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x