[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: File permission confusion [Debian 9.1 with MATE]



Hi,

Richard Owlett
> I used "linux tutorial chmod chattr" [w/o quotes] in both DuckDuckGo and
> Google.

A general search topic would be "linux file permissions" and "chattr".

I can show you an example shell session on an ext4 filesystem.

I create a directory with a file and take away w-permissions:

  $ cd /home/thomas/test
  $ mkdir my_private_dir
  $ echo private_content >my_private_dir/my_private_file
  $ chmod a-w my_private_dir/my_private_file
  $ chmod a-w my_private_dir

Now normal users including myelf cannot change the file content and cannot
rename or remove the file

  $ echo new_content >my_private_dir/my_private_file
  bash: my_private_dir/my_private_file: Permission denied
  $ mv my_private_dir/my_private_file my_private_dir/renamed_private_file
  mv: cannot move ‘my_private_dir/my_private_file’ to ‘my_private_dir/renamed_private_file’: Permission denied
  $ rm my_private_dir/my_private_file
  rm: cannot remove ‘my_private_dir/my_private_file’: Permission denied

But the superuser can override this without needing to use chmod

  # cd /home/thomas/test
  # echo foul >> my_private_dir/my_private_file
  # cat my_private_dir/my_private_file
  private_content
  foul
  # mv my_private_dir/my_private_file my_private_dir/renamed_private_file
  # ls -l my_private_dir
  total 4
  -r--r--r-- 1 thomas thomas 21 Jan  1 18:58 renamed_private_file

Now comes "chattr +i". Only the superuser can apply it.
After restoring the old filename and content, i do:

  # chattr +i my_private_dir/my_private_file

This keeps even the superuser from spoiling the file

  # echo foul >> my_private_dir/my_private_file
  bash: my_private_dir/my_private_file: Permission denied
  # mv my_private_dir/my_private_file my_private_dir/renamed_private_file
  mv: cannot move ‘my_private_dir/my_private_file’ to ‘my_private_dir/renamed_private_file’: Operation not permitted

The protection does not depend on missing w-permissions of the directory:

  # chmod u+w my_private_dir
  # rm my_private_dir/my_private_file
  rm: cannot remove ‘my_private_dir/my_private_file’: Operation not permitted

or missing w-permissions of the file file:

  # chmod u+w my_private_dir/my_private_file
  chmod: changing permissions of ‘my_private_dir/my_private_file’: Operation not permitted

even if the superuser temporarily allows the change and them runs "chattr +i"
again:

  # chattr -i my_private_dir/my_private_file
  # chmod u+w my_private_dir/my_private_file
  # chattr +i my_private_dir/my_private_file
  # echo foul >> my_private_dir/my_private_file
  bash: my_private_dir/my_private_file: Permission denied

----------------------------------------------------------------------

I can of course not comment on what particular GUI tools do when they
promise the user to make something "Read-only".
(... or what systemd is willing to do for its clients ....)


Have a nice day :)

Thomas


Reply to: