Jose Nazario [Wed, Oct 10, 2001 at 01:24:49PM -0400, Re: Root can't delete files]:
>
> man chattr(1):
>
> chattr (1) - Change file attributes on a Linux second extended
> file system
>
> using the mode +i (immutable) even root can't change didly on a system.
> this is not uncommon for attackers to do (either manually or in their
> rootkit installation scripts) to protect their files.
>
        Of course, root can always use the same 'chattr' command to change
(in this particular case, reset the immutable flag) the extended attributes
on the file before changing the file itself.

> there are some kernel patches, like LIDS, that, when used, can be used to
> prevent even root (either authorized or unauthorized) from changing files
> marked as immutable.

        Actually, it is protected only when the CAP_LINUX_IMMUTABLE capability
is removed from the global capability bounding set of the kernel (more precisely
from the effective capability set of the process that tries to change the file
that has immutable flag set), so one should mark it for removal in the
/etc/lids/lids.cap file when using LIDS. In this case not even root can change
the immutable (or append) flag for the given file, unless the LIDS is switched
off (either locally or globally).

-- 
 | \|/ Panzer (a.k.a Veselin Mijuskovic), Unix SysAdmin 
/|\ |  Computer Centre, School of Electical Engineering, University of Belgrade
-------------------------------------------------------------------------------
       Unix is very friendly, it's just picky about who its friends are

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]