Hi guys,
Is there any way to prevent User Account (root/ sudo account) from deleting a file/ directory but still allowing to write and edit?
As far as I know that I can use this command
chattr +i <file/directory>
But this command also prevents from writing (only allow to read)
Of course I can do, chattr -i <file/directory> to write, then use chattr +i <file/directory> to block. But this way is un-convenience
Regards!
Hello,
You can make a file append-only, with the 'a' attribute. This will mean that data can be added to the file, but the file cannot be over-written, have data removed from it, or be deleted. In other words, exactly as the name applies, the only thing you can do is use file append operations to add more data to the end of it.
Beyond that - no, I'm not aware of any Linux file attribute that would do what you want. Append-only and immutable are the only two that would protect a file from deletion that I know of. For regular users of course simply ensuring that neither they nor any group of which they are a member have write access to the file is sufficient, but by its very nature root on a Linux system will bypass any and all normal file security checks.
It depends on what you are trying to achieve. To prevent complete loss of file data you can create links to another directory. Data is only completely lost when all links are deleted.
Not really inconvenient, when you are talking about file system security.
It is a small "price" to pay to disable the control:
chattr -i <file/directory>
Then make your changes, and then to make the file immutable again:
chattr +i <file/directory>
This is exactly what I do, BTW and it's not a problem at all (even in a script), and I never find this "un-convenience", as @bucminhdo mentions.
See:
FYI, I am a "big fan" of chattr as one might guess 
if you write-protect the directory then you prevent deletion and creation of files.
Hello,
If the requirement is to prevent regular users from deleting files, then yes, this will certainly work. Even if the user themselves has write permission set for files that they own within a directory, if the user has no write permissions set on the directory itself, they will be unable to delete the files, as you say.
However, the OP's question mentioned "root / sudo account" as the user(s) for which this write protection is desired. And for root, even if a directory has no write permissions set, root will still be able to remove the files. At most they will receive a prompt asking if they wish to remove the write-protected file, but in terms of protection, that's about as good as it will get in that particular scenario. So this solution might not quite provide the level of protection desired, in this specific set of circumstances.
Nothing speaks against the already mentioned chattr - but on the directory (not the file).
Excellent idea @MadeInGermany
See:
ubuntu:~# cd /tmp
ubuntu:/tmp# mkdir test_chattr
ubuntu:/tmp# echo "HELLO WORLD" > ./test_chattr/test_file.txt
ubuntu:/tmp# chattr +i test_chattr
ubuntu:/tmp# echo "HELLO AGAIN" >> ./test_chattr/test_file.txt
ubuntu:/tmp# cat ./test_chattr/test_file.txt
HELLO WORLD
HELLO AGAIN
ubuntu:/tmp# rm ./test_chattr/test_file.txt
rm: cannot remove './test_chattr/test_file.txt': Operation not permitted
This certainly appears to meet the requirements of @bucminhdo
Thanks @MadeInGermany for reminding us how simple this can be.
The main problem with this is, of course, the file can be easily "nulled out" which is close to being deleted, without actually deleting the file. This might not meet many security requirements.
ubuntu:/tmp# cat /dev/null > ./test_chattr/test_file.txt
ubuntu:/tmp# cat ./test_chattr/test_file.txt
This type of "security" would not meet most of my requirements when I use chattr but it might meet @bucminhdo requirements.
This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.