Protect Your Files and Folders with Chattr and Lcap

(Reproduced from The Furtive Penguin)

A recurring theme in the endless series of "Is Linux Ready for the Desktop?" articles is the proposition that using the Bash shell is too complex for the average user. The underlying assumption being that the "average user" is only capable of clicking buttons in a GUI and will be confused beyond all hope of recall if he/she has to type a couple of syllables in a terminal. I believe that this is every bit as false as it is insulting. Heres the truth:-

The bash shell is:-

1. Easy

2. Fun

The specific purpose of this article is to introduce the chattr command and the LCAP utility. Both of these tools are easy to master and of considerable use to any linux user who wishes to protect vital files or folders. Let's suppose that your computer and user account are shared. Perhaps you allow the kids to use it from time to time to play godawful online flash-based games. The day will inevitably come when they decide to explore the contents of your home folder and just as inevitably they will want to experiment with the right-click context menu. How can you prevent an orgy of "accidental" file deletion and protect your vital work or finance-related folders?

Most distro's come with chattr installed by default. Lcap will need to be installed independently, though if you use Ubuntu it is available in the repositories. Simply fire up synaptic and search for "lcap". If you are using another distro packages are available from the following sources.

packetstorm

caspian.dotconf.net

Now we will set the immutable bit on the files that we wish to protect. Files or folders with the immutable bit set cannot be moved, deleted, renamed or appended to. They are immutable and consequently safe from the ravages of the juvenile hordes. So, how does it work? Open a terminal. Firstly you will need to su to root on most linux distro's. On Ubuntu, of course you would use the sudo command and issue your admin password when requested. Heres the full command:-

chattr +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr +i /some/file/or/folder

This command effectively sets the immutable bit on your selected file or folder. If you want to make a folder and all its contents immutable, do this:-

chattr -R +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr -R +i /some/file/or/folder

To remove the immutable bit you simply issue the following command:-

chattr -i /some/file/or folder OR ( on Ubuntu )

sudo chattr -i /some/file/or/folder

What could be simpler?

If on the other hand you seek protection from a slightly more sophisticated threat, perhaps from someone with whom you share a computer who also knows your administrative password, you might resort to using lcap. Lcap removes from the superuser the capability to set or unset the immutable bit ( amongst other things ). If you summon lcap with no arguments you will be presented with a list of capabilities, we are primarily interested in CAP_LINUX_IMMUTABLE. To remove root's ability to set or unset this bit, do the following:-

lcap CAP_LINUX_IMMUTABLE

Below are some shots of the terminal before and after issuing this command. You will plainly see that the asterisk after CAP_LINUX_IMMUTABLE is missing from the second shot denoting that this capability has been successfully removed from the superuser. But dont worry this is not irreversible! It can only be reversed however, by rebooting the system.

Before

After

OK so this is not foolproof but it does provide a fair degree of protection and should be sufficient to safeguard against any but the most determined and knowledgeable vandals. Anyone seeking further information about chattr or lcap should consult the appropriate man pages or the links provided on this article's linkslist page. Hope someone finds this helpful.

D.I.Y. Apps: Part III The PDF Manager

(Reproduced from The Furtive Penguin )

Of the many tools which can be used to create and manipulate PDF files on a Linux system pdftk is probably the most powerful and useful. It can:-

Merge PDF Documents

Split PDF Pages into a New Document

Rotate PDF Pages or Documents

Decrypt Input as Necessary (Password Required)

Encrypt Output as Desired

Fill PDF Forms with FDF Data or XFDF Data and/or Flatten Forms

Apply a Background Watermark or a Foreground Stamp

Report on PDF Metrics such as Metadata, Bookmarks, and Page Labels

Update PDF Metadata

Attach Files to PDF Pages or the PDF Document

Unpack PDF Attachments

Burst a PDF Document int

o Single Pages

Uncompress and Re-Compress Page Streams

Repair Corrupted PDF (Where Possible)

This is quite an impressive feature set but of course, as supplied, it is a command line tool. A GUI frontend is available for it but you will need to install the Lazarus Pascal compiler before it will run. PDFTK-GUI is available here and the Lazarus compiler together with instructions for installing on Ububtu can be found here. This is quite an overhead just to run one GUI front-end so I am offering an alternative script. The script allows you to access much of the functionality of pdftk without mastering the command line syntax. Just for good measure pdftotext is included as well.

In order to use the script you will need to install the following packages:-pdftk, poppler-utils (or xpdf-utils).Both packages are available from the Debian/Ububtu repositories. Once installed I suggest that you create a PDF directory in your home folder and store both the script and your collection of PDF's there.This script could be easily adapted for use with 'Dialog'. Anyone wishing to do so could usefully consult the previous two articles in this series. There are examples and plenty of code to cannibalize in Parts 1 and 2.

The obligatory screenshots are included below:-

The PDFManager Script (Available here)

PDFTK-GUI

Whichever you decide to install...have fun!