How to prevent that a user deletes a file owned by root in its home directory

Friday, October 23, 2009 posted by Till

If the root user stores a file in the home directory of another user or any other directory that is owned by another user, this other user is able to delete the file even if the file is owned by root and has 700 permissions.

Example:

root@workstation:/home/otheruser# ls -la
total 8
drwxr-xr-x 2 otheruser otheruser 4096 Oct 23 11:52 .
drwxr-xr-x 3 root      root      4096 Oct 23 11:51 ..
-rwx------ 1 root      root         0 Oct 23 11:52 root_users_file

If I su now to "otheruser", I'am able to delete the file as "otheruser" is the owner of the directory where "root_users_file" is stored:

root@workstation:/home/otheruser# su otheruser
sh-3.2$ rm root_users_file
rm: remove write-protected regular empty file `root_users_file'? y
sh-3.2$

Now to protect the file from beeing deleted, use the command chattr +i:

chattr +i root_users_file

and then try again to delete the file as "otheruser", the action will be denied:

root@workstation:/home/otheruser# su otheruser
sh-3.2$ rm root_users_file
rm: remove write-protected regular empty file `root_users_file'? y
rm: cannot remove `root_users_file': Operation not permitted
sh-3.2$

Now even root is not able to delete or edit the file anymore. With the command chattr -i the protection can be removed:

chattr -i root_users_file

Be Sociable, Share!



2 Responses to “How to prevent that a user deletes a file owned by root in its home directory”

  1. Jared Fine says:

    chattr is pretty handy but in this case you might be better off using the sticky bit.

    “The most common use of the sticky bit today is on directories. When the sticky bit is set, only the item’s owner, the directory’s owner, or the superuser can rename or delete files. Without the sticky bit set, any user with write and execute permissions for the directory can rename or delete contained files, regardless of owner.”

    http://en.wikipedia.org/wiki/Sticky_bit

    Cheers.

  2. Mike T says:

    Excellent article. I was trying to place a file owned by root in another users area for them to read and execute but NOT edit or delete. Works perfect for me.

    I tried the sticky bit but it did not work for my requirements.

Leave a Reply