Re: File permission confusion [Debian 9.1 with MATE]
Hi,
Richard Owlett
> I used "linux tutorial chmod chattr" [w/o quotes] in both DuckDuckGo and
> Google.
A general search topic would be "linux file permissions" and "chattr".
I can show you an example shell session on an ext4 filesystem.
I create a directory with a file and take away w-permissions:
$ cd /home/thomas/test
$ mkdir my_private_dir
$ echo private_content >my_private_dir/my_private_file
$ chmod a-w my_private_dir/my_private_file
$ chmod a-w my_private_dir
Now normal users including myelf cannot change the file content and cannot
rename or remove the file
$ echo new_content >my_private_dir/my_private_file
bash: my_private_dir/my_private_file: Permission denied
$ mv my_private_dir/my_private_file my_private_dir/renamed_private_file
mv: cannot move ‘my_private_dir/my_private_file’ to ‘my_private_dir/renamed_private_file’: Permission denied
$ rm my_private_dir/my_private_file
rm: cannot remove ‘my_private_dir/my_private_file’: Permission denied
But the superuser can override this without needing to use chmod
# cd /home/thomas/test
# echo foul >> my_private_dir/my_private_file
# cat my_private_dir/my_private_file
private_content
foul
# mv my_private_dir/my_private_file my_private_dir/renamed_private_file
# ls -l my_private_dir
total 4
-r--r--r-- 1 thomas thomas 21 Jan 1 18:58 renamed_private_file
Now comes "chattr +i". Only the superuser can apply it.
After restoring the old filename and content, i do:
# chattr +i my_private_dir/my_private_file
This keeps even the superuser from spoiling the file
# echo foul >> my_private_dir/my_private_file
bash: my_private_dir/my_private_file: Permission denied
# mv my_private_dir/my_private_file my_private_dir/renamed_private_file
mv: cannot move ‘my_private_dir/my_private_file’ to ‘my_private_dir/renamed_private_file’: Operation not permitted
The protection does not depend on missing w-permissions of the directory:
# chmod u+w my_private_dir
# rm my_private_dir/my_private_file
rm: cannot remove ‘my_private_dir/my_private_file’: Operation not permitted
or missing w-permissions of the file file:
# chmod u+w my_private_dir/my_private_file
chmod: changing permissions of ‘my_private_dir/my_private_file’: Operation not permitted
even if the superuser temporarily allows the change and them runs "chattr +i"
again:
# chattr -i my_private_dir/my_private_file
# chmod u+w my_private_dir/my_private_file
# chattr +i my_private_dir/my_private_file
# echo foul >> my_private_dir/my_private_file
bash: my_private_dir/my_private_file: Permission denied
----------------------------------------------------------------------
I can of course not comment on what particular GUI tools do when they
promise the user to make something "Read-only".
(... or what systemd is willing to do for its clients ....)
Have a nice day :)
Thomas
Reply to: