Friday, November 23, 2012

Protection of critical files from unauthorized or unknown delete

Release:

Linux Flavors with ext2 based file system

 

Problem:

Protecting critical files from unauthorized or unknown delete

 

Solution:

You can use the Chattr command for protecting your critical files from unauthorized or unknown deletion. Chattr is the acronym for Change file attributes. It is similar to the chmod command in Linux but having a different invocation and syntax. It only works with ext2/ext3/ext4 filesystems.

 

Once you have given the chattr +i <filename>, the particular file is made as immutable. Then file cannot be modified, linked or deleted even by the root user. One cannot see the overridden rule by using the normal permission check commands. Once set the attribute, it can be removed only by the root user. Demo on it is shown below.

 

At first we will create a file with the filename as mysafefile which is to be made safe from modification or deletion.

 

[root@testing Desktop]# touch mysafefile

 

Now let us view the default permission for the file using the below command.

 

[root@testing Desktop]# ll mysafefile

-rw-r--r-- 1 root root 0 Aug 27 12:37 mysafefile

So the root is having read write permission, the group root and others are having the read-only permission.

 

Now let us protect our file from unknown modification or deletion by adding the immutable option using the string “+i”.

[root@testing Desktop]# chattr +i mysafefile

 

So we will now check whether there was any change in the permission for the created file.

[root@testing Desktop]# ll mysafefile

-rw-r--r-- 1 root root 0 Aug 27 12:37 mysafefile

 

The permission has no visible change using normal permission check. It remains the same. We will now try editing the file which we have protected using the chattr command.

 

#vi mysafefile


 

Once you have opened the file you can see at the bottom left of the file that the file is read-only. Hence you will be unable to edit the file. We will now try now what if we try to delete this file.

 [root@testing Desktop]# rm -f mysafefile

rm: cannot remove `mysafefile': Operation not permitted

So the root user is also not able to delete the file. Now let us check on how we can view the overridden permission. You can use the lsattr <filename> command for viewing the attributes currently set for the file.

 [root@testing Desktop]# lsattr mysafefile

----i-------- mysafefile


You can now see the “i” attribute set for the file which prevented it from the deletion. Inorder to clear the attribute you can give the below command.

[root@testing Desktop]# chattr -i mysafefile

Confirm the clear using the lsattr command.

[root@testing Desktop]# lsattr mysafefile

------------- mysafefile

 

No comments:

Post a Comment