Restrict file access to append only

by

I have a directory with log files and I’m putting
logs from script launched by users into them. Logging with syslog doesn’t seem
possible in this case. (non-daemon rsync)

I want the users to have only write permissions on log files.
The problem is, that write permissions must be further restricted, so that
users (script) can only append to that files.
The underlying filesystem is XFS.

The following doesn’t work:

# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log

Is there any other solution for this? Thank you for your hints.

Contents hide
Answers:
Method 1
Method 2
Method 3

Answers:

Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.

Method 1

The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it’s up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn’t (CentOS?). Try using the xfs_io utility instead:

echo chattr +a | xfs_io test.log

Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).

Method 2

Do you have permissions to do that? From man 1 chattr:

A file with the `a’ attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

Method 3

Alternatively, you can achieve the same using SELinux, chances are it’s enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.

Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this – added layer of security.

I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns


All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

0 0 votes
Article Rating
Subscribe
Notify of
guest

0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x