(Reproduced from The Furtive Penguin)
A recurring theme in the endless series of "Is Linux Ready for the Desktop?" articles is the proposition that using the Bash shell is too complex for the average user. The underlying assumption being that the "average user" is only capable of clicking buttons in a GUI and will be confused beyond all hope of recall if he/she has to type a couple of syllables in a terminal. I believe that this is every bit as false as it is insulting. Heres the truth:-
The bash shell is:-
1. Easy
2. Fun
The specific purpose of this article is to introduce the chattr command and the LCAP utility. Both of these tools are easy to master and of considerable use to any linux user who wishes to protect vital files or folders. Let's suppose that your computer and user account are shared. Perhaps you allow the kids to use it from time to time to play godawful online flash-based games. The day will inevitably come when they decide to explore the contents of your home folder and just as inevitably they will want to experiment with the right-click context menu. How can you prevent an orgy of "accidental" file deletion and protect your vital work or finance-related folders?
Most distro's come with chattr installed by default. Lcap will need to be installed independently, though if you use Ubuntu it is available in the repositories. Simply fire up synaptic and search for "lcap". If you are using another distro packages are available from the following sources.
Now we will set the immutable bit on the files that we wish to protect. Files or folders with the immutable bit set cannot be moved, deleted, renamed or appended to. They are immutable and consequently safe from the ravages of the juvenile hordes. So, how does it work? Open a terminal. Firstly you will need to su to root on most linux distro's. On Ubuntu, of course you would use the sudo command and issue your admin password when requested. Heres the full command:-
chattr +i /some/file/or/folder OR ( on Ubuntu )
sudo chattr +i /some/file/or/folder
This command effectively sets the immutable bit on your selected file or folder. If you want to make a folder and all its contents immutable, do this:-
chattr -R +i /some/file/or/folder OR ( on Ubuntu )
sudo chattr -R +i /some/file/or/folder
To remove the immutable bit you simply issue the following command:-
chattr -i /some/file/or folder OR ( on Ubuntu )
sudo chattr -i /some/file/or/folder
What could be simpler?
If on the other hand you seek protection from a slightly more sophisticated threat, perhaps from someone with whom you share a computer who also knows your administrative password, you might resort to using lcap. Lcap removes from the superuser the capability to set or unset the immutable bit ( amongst other things ). If you summon lcap with no arguments you will be presented with a list of capabilities, we are primarily interested in CAP_LINUX_IMMUTABLE. To remove root's ability to set or unset this bit, do the following:-
lcap CAP_LINUX_IMMUTABLE
Below are some shots of the terminal before and after issuing this command. You will plainly see that the asterisk after CAP_LINUX_IMMUTABLE is missing from the second shot denoting that this capability has been successfully removed from the superuser. But dont worry this is not irreversible! It can only be reversed however, by rebooting the system.
Before
After
OK so this is not foolproof but it does provide a fair degree of protection and should be sufficient to safeguard against any but the most determined and knowledgeable vandals. Anyone seeking further information about chattr or lcap should consult the appropriate man pages or the links provided on this article's linkslist page. Hope someone finds this helpful.
No comments:
Post a Comment