- Make file read only on Linux even for root
- 5 Answers 5
- How to make all files under a directory world readable on linux? [closed]
- 3 Answers 3
- How to view files that have read permission only in my present working directory?
- 5 Answers 5
- How to Open a File in Read-Only Mode on Linux
- Option 1: Using the less command
- Option 2: Using the cat command
- Option 3: Using the view command
- Option 4: Using the chmod command
- Commands Mentioned:
- Conclusion:
- Dimitri Nek
Make file read only on Linux even for root
I know about the chattr +i filename command which makes a file read only for all users. However, the problem is that I can revoke this by using chattr -i filename . Is there a way to make a file readable by everyone on the system, but not writable by anyone, even the root, and with no going back (No option to make it writable again)?
I don’t think there is a way to do that. You would always be able to «go back» if you are root. What is it you are trying to accomplish with this? Maybe we can come up with another solution. Does someone else have root access to your system but you don’t trust them?
Depending on what you’re trying to accomplish, you might want to digitally sign the file using public key encryption, so that although someone could modify it, other people would be able to detect that.
Honestly, it just doesn’t make sense to do this in practice. It’s a perfectly good question to ask out of curiosity, but if you actually have a situation where you want to prevent a person with root access from modifying a file, you have much bigger problems than can be solved with filesystem permissions.
5 Answers 5
Put it on a CD or a DVD. The once-writable kind, not the erasable ones. Or some other kind of a read-only device.
Ok, I suppose you want a software solution, so here are some ideas: You could possibly create an SELinux ruleset that disables the syscall (*) that chattr uses, even for root. Another possibility would be to use capabilities: setting +i requires the CAP_LINUX_IMMUTABLE capability, so if you can arrange the capability bounding set of all processes to not include that, then no-one can change those flags. But you’d need support from init to have that apply to all processes. Systemd can do that, but I think it would need to be done for each service separately.
(* maybe it was an ioctl instead.)
However, if you do that, remember that a usual root can modify the filesystem from the raw device (that’s what debugfs is for), so you’d need to prevent that, too, as well as prevent modifying the kernel (loading modules). Loading modules can be prevented with the kernel.modules_disabled sysctl, but I’m not sure about preventing access to raw devices. And make all the relevant configuration files also immutable.
Anyway, after that, you’d also need to prevent changing the way the system boots, otherwise someone could reboot the system with a kernel that allows overriding the above restrictions.
And don’t forget about mount —bind modified-file original-file , which often achieves the same result as modifying the file without actually doing so
chatter +i is advisory as well. /dev/sd?? are writable as root and I can think of a host of other ways. SELinux kind of works.
Yeah, that’s pretty much the point, you’d need to first prevent modifying the file, and then prevent making changes to the restrictions.
What you want is Mandatory Access Control. It allows you to specify a set of permissions which the kernel will not allow to be overridden, even by root. SELinux is one well-known such system, Smack is another example, and AppArmor is a third such system. In Linux, they are implemented as Linux Security Modules, a general-purpose facility for controlling access outside the traditional UNIX-like security model. In addition to the existing general-purpose systems, you could of course create your own for a special purpose.
Of course, root has the ability to turn the entire facility on or off or change the MAC permissions of files, and some of these systems even allow those capabilities to be granted to non-root users. However, it’s also possible, depending on the system, to disable this ability. I know SELinux and Smack make this possible; I doubt all LSMs do. Once disabled, the only way to regain the ability is to reboot the kernel. You will then want your boot process to disable the capability before user access is enabled. If your kernel and boot process are secure, such a configuration could (at least in theory) be changed only by physically removing the storage media to change it.
As an example, if you were using SMACK, you could do:
This would set the file to have the special label «_» which allows only read or execute access, but never write. Now even root cannot write this file (once SMACK has been activated and the security override capability has been disabled, as mentioned above).
However, you must also ensure that your kernel is secure. By default, it is easy for root to subvert the kernel, because the kernel trusts the root user. If root can just remove the security module, it doesn’t help very much. A list of such methods is here, but note that no such list can ever truly be complete for all circumstances.
Finally, depending on your circumstances, you may need to secure your boot process. For a machine where you have sole physical access, this might not be needed, but for maximum security you really want encrypted filesystems and a secure way of booting the kernel, such as UEFI Secure Boot.
How to make all files under a directory world readable on linux? [closed]
I want to make all files (and directories) under a certain directory world readable without having to chmod each file on its own. it would be great if there is an option to also do this recursively (look under folders and chmod 666 all files under it)
@H2CO3: Doesn’t seem to fall under What kind of questions can I ask here?. Doesn’t mention Bash anywhere in the title or text. Doesn’t have a bash tag. But, it’s just a comment, right?
@Rorchackh do you want to make readable files only and exclude directories, or did you mean «all entries in the directory» when you wrote «all files»? I think the later one applies.
3 Answers 3
man 3 chmod contains the information you are looking for.
the -R option tells chmod to operate recursively.
Historicaly -r is for recursive operation and -R is for dangerous recursive. If capitalized R is used for chmod and chown it’s because we prefer to use more precise operation like using find . See my answer!
I’m certainly appreciate you answer but it is a little bit hard to understand even to me which I’m not a newbie. @F.Hauri
@insign Changing rights recursively could be dangerous! you coud for sample .1 break some system requirment, .2 expose private files. Reverting wrong manip from there could be very tricky.
As a directory could contain links and/or bind mounts, the use of find could ensure a finest granularity in what to do and what to not do.
find directory \( -type f -o -type d \) -print0 | xargs -0 chmod ugo+r
To exclude paths under mount points:
find directory -mount \( -type f -o -type d \) -print0 | xargs -0 chmod ugo+r
To exclude some specific files (.htaccess for sample):
find directory \( -type f -o -type d \) ! -name '.htaccess' -print0 | xargs -0 chmod ugo+r
How to view files that have read permission only in my present working directory?
This question seems an easy one for anyone who knows find command. But let’s assume that find command doesn’t work on my system. How can I view the files based on their permissions without using «find» command?
5 Answers 5
Without find , you still have a shell (which can expand wildcards) and can loop over the contents of the directory checking first if each is a file, then if it is not writable, and then if it is not executable and then if it is readable.
Someone is likely to write a script to demonstrate, but it helps to start by reading the documentation, e.g., POSIX test.
By the way, the use of «only» in the question’s title would exclude results where the file is either writable or executable. In POSIX find , you can express it like this:
find . -type f \! \( -perm -u=w -o -perm -u=x -o -perm -g=w -o -perm -g=x -o -perm -o=w -o -perm -o=x \)
GNU find provides extensions which allow more compact expressions:
find . -type f \! -perm /u=wx,g=wx,o=wx
The test utility (more often used as [ and ] ) provides simpler tests than find , e.g.,
for name in *; do [ -f "$name" -a -r "$name" -a ! -w "$name" -a ! -x "$name" ] && ls -l "$name"; done
However, its permissions are only for the user, not group or other. To exclude files based on those, you can use ls , e.g.,
for name in *; do [ -f "$name" ] && case "$(ls -l "$name")" in -r--r--r--*) echo "$name";; esac; done
or (if you want to allow executable files)
for name in *; do [ -f "$name" ] && case "$(ls -l "$name")" in -r-?r-?r-*) echo "$name";; esac; done
How to Open a File in Read-Only Mode on Linux
In Linux, opening a file in read-only mode can be useful to prevent accidental modifications to the file contents. Read-only mode allows you to view the contents of the file, but you cannot make any changes to it. In this guide, we will show you how to open a file in read-only mode using various Linux commands.
Option 1: Using the less command
The less command is a powerful utility for viewing file contents on Linux. To open a file in read-only mode using less, simply use the “-R” option:
This will open the file in read-only mode, and you can view the contents of the file without the ability to modify it. To exit the less command, press the “q” key.
Option 2: Using the cat command
The cat command is another popular command for viewing file contents on Linux. To open a file in read-only mode using cat, simply use the “-v” and “-E” options:
This will display the contents of the file in read-only mode. The “-v” option will display non-printable characters, and the “-E” option will display a “$” character at the end of each line.
Option 3: Using the view command
The view command is a read-only version of the vi editor. To open a file in read-only mode using view, simply use the “-R” option:
This will open the file in read-only mode, and you can view the contents of the file without the ability to modify it. To exit the view command, press the “q” key.
Option 4: Using the chmod command
You can also use the chmod command to set the file permissions to read-only mode. To set the file permissions to read-only, use the following command:
This will set the file permissions to read-only mode, and you will not be able to modify the contents of the file. To revert the file permissions back to their original state, use the following command:
Commands Mentioned:
- less – displays file contents in a paginated manner
- cat – displays file contents
- view – opens a file in read-only mode using the vi editor
- chmod – changes file permissions
Conclusion:
In this guide, we have shown you how to open a file in read-only mode using various Linux commands. Opening a file in read-only mode can be useful to prevent accidental modifications to the file contents. The less, cat, and view commands allow you to view the contents of a file in read-only mode, while the chmod command allows you to set the file permissions to read-only mode.
Dimitri Nek
Dimitri is a Linux-wielding geek from Newport Beach and a server optimization guru with over 20 years of experience taming web hosting beasts. Equipped with an arsenal of programming languages and an insatiable thirst for knowledge, Dimitri conquers website challenges and scales hosting mountains with unmatched expertise. His vast knowledge of industry-leading hosting providers allows him to make well-informed recommendations tailored to each client’s unique needs.