Protect Your Files and Folders with Chattr and Lcap

(Reproduced from The Furtive Penguin)

A recurring theme in the endless series of "Is Linux Ready for the Desktop?" articles is the proposition that using the Bash shell is too complex for the average user. The underlying assumption being that the "average user" is only capable of clicking buttons in a GUI and will be confused beyond all hope of recall if he/she has to type a couple of syllables in a terminal. I believe that this is every bit as false as it is insulting. Heres the truth:-

The bash shell is:-

1. Easy

2. Fun

The specific purpose of this article is to introduce the chattr command and the LCAP utility. Both of these tools are easy to master and of considerable use to any linux user who wishes to protect vital files or folders. Let's suppose that your computer and user account are shared. Perhaps you allow the kids to use it from time to time to play godawful online flash-based games. The day will inevitably come when they decide to explore the contents of your home folder and just as inevitably they will want to experiment with the right-click context menu. How can you prevent an orgy of "accidental" file deletion and protect your vital work or finance-related folders?

Most distro's come with chattr installed by default. Lcap will need to be installed independently, though if you use Ubuntu it is available in the repositories. Simply fire up synaptic and search for "lcap". If you are using another distro packages are available from the following sources.

packetstorm

caspian.dotconf.net

Now we will set the immutable bit on the files that we wish to protect. Files or folders with the immutable bit set cannot be moved, deleted, renamed or appended to. They are immutable and consequently safe from the ravages of the juvenile hordes. So, how does it work? Open a terminal. Firstly you will need to su to root on most linux distro's. On Ubuntu, of course you would use the sudo command and issue your admin password when requested. Heres the full command:-

chattr +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr +i /some/file/or/folder

This command effectively sets the immutable bit on your selected file or folder. If you want to make a folder and all its contents immutable, do this:-

chattr -R +i /some/file/or/folder OR ( on Ubuntu )

sudo chattr -R +i /some/file/or/folder

To remove the immutable bit you simply issue the following command:-

chattr -i /some/file/or folder OR ( on Ubuntu )

sudo chattr -i /some/file/or/folder

What could be simpler?

If on the other hand you seek protection from a slightly more sophisticated threat, perhaps from someone with whom you share a computer who also knows your administrative password, you might resort to using lcap. Lcap removes from the superuser the capability to set or unset the immutable bit ( amongst other things ). If you summon lcap with no arguments you will be presented with a list of capabilities, we are primarily interested in CAP_LINUX_IMMUTABLE. To remove root's ability to set or unset this bit, do the following:-

lcap CAP_LINUX_IMMUTABLE

Below are some shots of the terminal before and after issuing this command. You will plainly see that the asterisk after CAP_LINUX_IMMUTABLE is missing from the second shot denoting that this capability has been successfully removed from the superuser. But dont worry this is not irreversible! It can only be reversed however, by rebooting the system.

Before

After

OK so this is not foolproof but it does provide a fair degree of protection and should be sufficient to safeguard against any but the most determined and knowledgeable vandals. Anyone seeking further information about chattr or lcap should consult the appropriate man pages or the links provided on this article's linkslist page. Hope someone finds this helpful.

D.I.Y. Apps: Part III The PDF Manager

(Reproduced from The Furtive Penguin )

Of the many tools which can be used to create and manipulate PDF files on a Linux system pdftk is probably the most powerful and useful. It can:-

Merge PDF Documents

Split PDF Pages into a New Document

Rotate PDF Pages or Documents

Decrypt Input as Necessary (Password Required)

Encrypt Output as Desired

Fill PDF Forms with FDF Data or XFDF Data and/or Flatten Forms

Apply a Background Watermark or a Foreground Stamp

Report on PDF Metrics such as Metadata, Bookmarks, and Page Labels

Update PDF Metadata

Attach Files to PDF Pages or the PDF Document

Unpack PDF Attachments

Burst a PDF Document int

o Single Pages

Uncompress and Re-Compress Page Streams

Repair Corrupted PDF (Where Possible)

This is quite an impressive feature set but of course, as supplied, it is a command line tool. A GUI frontend is available for it but you will need to install the Lazarus Pascal compiler before it will run. PDFTK-GUI is available here and the Lazarus compiler together with instructions for installing on Ububtu can be found here. This is quite an overhead just to run one GUI front-end so I am offering an alternative script. The script allows you to access much of the functionality of pdftk without mastering the command line syntax. Just for good measure pdftotext is included as well.

In order to use the script you will need to install the following packages:-pdftk, poppler-utils (or xpdf-utils).Both packages are available from the Debian/Ububtu repositories. Once installed I suggest that you create a PDF directory in your home folder and store both the script and your collection of PDF's there.This script could be easily adapted for use with 'Dialog'. Anyone wishing to do so could usefully consult the previous two articles in this series. There are examples and plenty of code to cannibalize in Parts 1 and 2.

The obligatory screenshots are included below:-

The PDFManager Script (Available here)

PDFTK-GUI

Whichever you decide to install...have fun!

D.I.Y Apps Part IV Project Manager 2

( Reproduced from The Furtive Penguin )

Get the Script here.

This is the latest in a series of articles designed to encourage people to make their own apps on Linux. It is hoped that either:-

a) The script will be useful to someone as it stands, or:-

b) The code can be cannibalized and put to better use by anyone wishing to experiment and customize.

The script makes use of a few simple functions followed by a menu which is defined using the case/esac statement. In this sense it is not dissimilar from the last script in this series although, of course, it serves a completely different purpose. In Part II of this series I posted a script designed to serve a similar end but it was somewhat buggy and offered considerably less functionality. The current revision offers the following options:-

0 Create Project Folder

1 List Folder Contents

2 Open Folder

3 Open Files For Editing (Gedit)

4 Open Files For Editing (OpenOffice)

5 Open Files For Editing (Bluefish)

6 Backup

7 Backup Individual File (You will need to enter the full path for both target and destination)

8 Encrypt Folder

9 Decrypt folder

Most of these are self-explanatory and the overall purpose of the script is fairly clear. It is designed to allow convenient grouping of associated files in 'project' folders. New folders can be created and files can be accessed with a variety of applications dependent upon their type and file extension. There is also provision for backup ( both of the entire folder and individual files ) and encryption. You will need to install 'ccrypt' and 'bluefish' to take advantage of options 5,8 and 9. The best fun you can have with it tho, is to modify it to suit your own individual requirements. Enjoy!

(If you wish to create a launcher for this script simply right-click on the desktop and select 'Create Launcher' from the context menu. Give it a name and supply the path to the script. YOU MUST also check the 'Run In Terminal' box. Click on the 'No Icon' button and you will be presented with a selection of icons. Choose one and click 'OK'. The icon will appear on your desktop. Drag it onto your top Desktop toolbar. Subsequently all you will need to do is click on the icon on your toolbar and a terminal with the 'Project Manager2' menu will appear on your desktop.)

Get the script here.

D.I.Y Apps Part 5 Text Substitution with RPL

( Reproduced from The Furtive Penguin )

Script here

Recursive text substitution in multiple files is not a task that the average end user is called upon to perform very often. But lets suppose that you have a couple of web sites either with a hosting company or on your own server. Let us suppose further, that you want to change the mailto link address on every page on your site. Not a problem if you only have 5 or 6 pages but what if you have five or six hundred? Clearly, in the absence of an automated text replacement utility, you are going to be spending a lot of quality time with the WISYWIG editor of your choice.

Of course you could always employ the venerable 'sed' command with 'find' and 'exec' but that has limitations and the syntax is possibly the most bizarre and grotesque construction in the whole of Unix! Here is an example:-

find ./path/to/directory -type f -exec sed -i 's/oldtext/newtext/' {} \;

Enter 'rpl'!! The program was written for Debian as a free replacement for the non-free rpl program by Joe Laffey which can be found here. Rpl defines its function in the following terms (from the manual):-

"Basic usage is to specify two strings and one or more filenames or directories on the command line.The first string is the string to replace,and the second string is the replacement string."

One of the joys of 'rpl' is that it will replace text recursively by simply specifying the -R option. If you are running Ubuntu/Debian 'rpl' is available from the repositories. It is of course a command line tool but the man page is amongst the most intelligible and comprehensible that I have ever read.

In keeping with the spirit of this series of articles I could not resist writing a 'Dialog' front end for the 'rpl' program which allows the user to deploy some of its most useful functionality from the GUI. Here is the help file included with the script:-

OPTION 1. prints this help file - OPTION 2. will replace all instances of a text string with a new string in a given file - OPTION 3. will replace all instances of a text string with a new string in all files in a given directory. - OPTION 4. will replace all instances of a text string with a new string in all files in a given directory and all its sub-directories. WORKS WITH TEXT AND HTML FILES ONLY! You will need to enter the full path to all files and folders. This front end script should work equally well for single and multiple word substitutions . RPL is a command line program and it is capable of much more than this. In order to acquaint yourself with the full range of its capabilities consult the manual - man rpl. Enjoy!

As you can see the script allows you to replace text in a single file; in a group of files in a directory or in an entire directory tree. Having access to a tool like this can save hours of arduous labour with an HTML editor. In order to make this work you will need to install 'dialog' and 'rpl'. They are both in the Debian/Ubuntu repositories. I have tested this fairly extensively and it seems to work OK. if you find otherwise please let me know so that I can fix it. Enjoy!

Script here

Click to Enlarge

Embedding Documents With Scribd

Here at the 'Jolly Penguin' we love to embed stuff. What blogger doesn't? Easy access to free quality content is a dream come true. In the past the mighty 'Google' has led the way in this department:- YouTube, Spreadsheet entries via Forms (see earlier post) but today we want to sing the praises of Scribd.

Basically Scribd is a site where you can upload, publish and share your documents. They accept documents in a wide variety of formats (including non-proprietary ones) and offer free accounts with unlimited storage. It is also possible to embed documents in web pages or blog posts, although of course, if you are not the creator of the document you will need to check the licence first.

We have included an example document on this page that we think deserves to be more widely known. It is a collection of 'Unix Administration Horror Stories' compiled by Anatoly N Ivasyuk. The central thesis is that:- "More systems have been wiped out by admins than any hacker could do in a lifetime". Some parts of it make for very chucklesome reading.

Read this doc on Scribd: Unix Administration Horror Stories!!!

Document Details for Unix Administration Horror Stories!!!

Below is another document from Scribd. It consists of the first two installments of an occasional series that we are putting together on Hubpages entitled: "The Linux Command Line For Beginners".

Embedding documents in this way allows you to escape the formatting restrictions of html and the many online wisywig editors provided by blogger, squidoo, hubpages etc. It means that documents can be prepared for easy online distribution using Word Processing or Desktop Publishing software. Scribd is an extremely useful site with great potential.

Read this doc on Scribd: The Linux Command Line For Beginners

Document Details for The Linux Command Line For Beginners