(Reproduced from The Furtive Penguin)
Monday, August 11, 2008
The War Against Tedium In The GUI
Protect Your Files and Folders with Chattr and Lcap
(Reproduced from The Furtive Penguin)
A recurring theme in the endless series of "Is Linux Ready for the Desktop?" articles is the proposition that using the Bash shell is too complex for the average user. The underlying assumption being that the "average user" is only capable of clicking buttons in a GUI and will be confused beyond all hope of recall if he/she has to type a couple of syllables in a terminal. I believe that this is every bit as false as it is insulting. Heres the truth:-
The bash shell is:-
1. Easy
2. Fun
The specific purpose of this article is to introduce the chattr command and the LCAP utility. Both of these tools are easy to master and of considerable use to any linux user who wishes to protect vital files or folders. Let's suppose that your computer and user account are shared. Perhaps you allow the kids to use it from time to time to play godawful online flash-based games. The day will inevitably come when they decide to explore the contents of your home folder and just as inevitably they will want to experiment with the right-click context menu. How can you prevent an orgy of "accidental" file deletion and protect your vital work or finance-related folders?
Most distro's come with chattr installed by default. Lcap will need to be installed independently, though if you use Ubuntu it is available in the repositories. Simply fire up synaptic and search for "lcap". If you are using another distro packages are available from the following sources.
Now we will set the immutable bit on the files that we wish to protect. Files or folders with the immutable bit set cannot be moved, deleted, renamed or appended to. They are immutable and consequently safe from the ravages of the juvenile hordes. So, how does it work? Open a terminal. Firstly you will need to su to root on most linux distro's. On Ubuntu, of course you would use the sudo command and issue your admin password when requested. Heres the full command:-
chattr +i /some/file/or/folder OR ( on Ubuntu )
sudo chattr +i /some/file/or/folder
This command effectively sets the immutable bit on your selected file or folder. If you want to make a folder and all its contents immutable, do this:-
chattr -R +i /some/file/or/folder OR ( on Ubuntu )
sudo chattr -R +i /some/file/or/folder
To remove the immutable bit you simply issue the following command:-
chattr -i /some/file/or folder OR ( on Ubuntu )
sudo chattr -i /some/file/or/folder
What could be simpler?
If on the other hand you seek protection from a slightly more sophisticated threat, perhaps from someone with whom you share a computer who also knows your administrative password, you might resort to using lcap. Lcap removes from the superuser the capability to set or unset the immutable bit ( amongst other things ). If you summon lcap with no arguments you will be presented with a list of capabilities, we are primarily interested in CAP_LINUX_IMMUTABLE. To remove root's ability to set or unset this bit, do the following:-
lcap CAP_LINUX_IMMUTABLE
Below are some shots of the terminal before and after issuing this command. You will plainly see that the asterisk after CAP_LINUX_IMMUTABLE is missing from the second shot denoting that this capability has been successfully removed from the superuser. But dont worry this is not irreversible! It can only be reversed however, by rebooting the system.
Before
After
OK so this is not foolproof but it does provide a fair degree of protection and should be sufficient to safeguard against any but the most determined and knowledgeable vandals. Anyone seeking further information about chattr or lcap should consult the appropriate man pages or the links provided on this article's linkslist page. Hope someone finds this helpful.
Share And Protect
(Reproduced from The Furtive Penguin)
Access Controls With ACL and Eiciel
Traditionally Unix-based systems have dealt with the issue of sharing access to files and folders by tweaking group permissions. As the numbers of new Linux adopters grows in the wake of the Dell and Walmart initiatives perhaps it is time to publicize a more intuitive ( and GUI based ) option. Linux is designed from the ground up to be a multi-user system and family machines are likely to have more than one user account if only to keep the kids from 'accidentally' deleting important files. But what if you want to share certain resources amongst all users on a system? The easiest solution is to create a 'shared' folder in the /home directory and manage access using ACL's.
To do this you need to issue the following command as root:-
mkdir /home/shared
or sudo mkdir /home/shared ( if you are using Ubuntu )
If you are reasonably confident that no adverse security consequences will result you can make this folder world-writable thus:-
chmod 666 /home/shared
or sudo chmod 666 /home/shared ( Ubuntu )
If you want some other user ( besides root ) to own this folder, lets say 'userone', you would do the following:-
chown userone /home/shared
or sudo chown userone /home/shared ( Ubuntu )
Now in order to give you fine-grained control over the contents of this folder and generally make the whole thing work as intended we need to install two packages and tweak one configuration file. The packages in question are 'acl' and 'eiciel', On an Ubuntu system these can be installed with the following commands ( or via Synaptic if you prefer to use the GUI ):-
apt-get install acl
apt-get install eiciel
The 'acl' package gives you access to two commands, 'getfacl' and 'setfacl' which allow you to view and set access control lists at the command line. The 'eiciel' package adds a new tab to the 'properties' view in Nautilus which essentially does the same thing in the GUI. See screenshot below:-
Access Control List Tab in the Nautilus Properties Dailog Box
As you can see this panel allows me, the owner, ( userone ) to grant usertwo read, write or execute permissions on a per file basis. Consequently you can add files to your shared folder with confidence. Each file can have its own individualized user profile and no one need have more permissions than they need or can be trusted with. At the same time everything in the folder can be made readable by all users on the system.
In order to make this work there is one more essential step. You need to edit a system file called /etc/fstab.( BE CAREFUL! Back it up first in case of disaster. ) You will need to open an editor and insert 'acl' in the appropriate place. See 'before' and 'after' example below:-
BEFORE
/dev/hda1 /boot ext3 defaults 0 2 #size=100
/dev/hda2 none swap sw 0 0 #size=250
/dev/hda3 / ext3 defaults,errors=remount-ro 0 1 #size=remaining
/dev/fd0 /floppy auto defaults,user,noauto 0 0
/dev/cdrom /cdrom iso9660 defaults,ro,user,noauto 0 0
proc /proc proc defaults 0 0
AFTER
/dev/hda1 /boot ext3 defaults 0 2 #size=100
/dev/hda2 none swap sw 0 0 #size=250
/dev/hda3 / ext3 defaults,errors=remount-ro,acl 0 1 #size=remaining
/dev/fd0 /floppy auto defaults,user,noauto 0 0
/dev/cdrom cdrom iso9660 defaults,ro,user,noauto 0 0
proc /proc proc defaults 0 0
Insert 'acl' in the line that refers to the partition you want to use access control lists on and reboot. When your machine restarts you will be able to use eiciel in the GUI ( or 'getfacl' and 'setfacl' from the command line ) to set up acl's.
And thats all there is to it! I hope someone finds this helpful.