3

I am trying make a immutable file that is anyone can read only and can't do any modification into it. i.e - No one can write into it or delete it or move it. For this is referred chattr this LINUX command.

chattr +i filename.txt

This command makes file immutable but if any other person logged into root in linux then he can remove this immutable by 

chattr -i filename.txt

So I want to make something script/code/command, anything so when I make file immutable by then only by running these script/code/command then and then only file should be mutable so anyone can modify this, otherwise not.

Also I referred this chattr github code. I came to know that they used ioctl function and flags to mask this file and made immutable but I didn't find anything more except this.

There is another way to do it in Solaris OS by using zfs but it is not working in UBUNTU because of different platform. Is there any way to do it?

Any suggestion or solution appreciated.

Tejas Lotlikar
  • 2,985
Omkar
  • 131
  • 1
    I don't understand how "running these script/code/command" is conceptually any different from running chattr -i and chattr +i. Fundamentally there is only one root account so any restriction that one person can put in place as root can be removed by anyone else who has root privileges. – steeldriver Dec 23 '19 at 22:44
  • @steeldriver You didn't understand my question. I know root account can make change but my task is to root account can not make file mutable until someone (Any user or system) run particular script/code/command . And my task is to write this script/code/command . – Omkar Dec 24 '19 at 05:26
  • A bit late to the party, but would it be sufficient to put that file onto a filesystem that is mounted read-only. Root could still change it by remounting, but this would probably not happen by accident. On the other hand: you mentioned "system" making changes - what user is that? – cyberbrain Sep 22 '25 at 10:43

2 Answers2

1

Root is a special user that can do whatever it wants, it is needed for a lengthy list of reasons. Having another person access your machine as root means giving them access to everything in the machine, with no restrictions. Every rule you enforce on the system root user can bypass it.

In your case seems like you want to limit access to other people, so having them use root is not the way to go. You either have secure files or give the root password around.

If you are not giving the root password to anyone and are afraid that another user might change stuff with sudo, then you can restrict them and this was the reason to introduce sudo in the first place. Sudo policies can be changed in the sudoers file thus allowing you to restrict other users' power on your machine.

If you want to restrict a single command, like chattr, I would suggest writing an AppArmor profile.

safesintesi
  • 71
0

Generally, root can undo what root can do, but,

Burn the file to a Write-Once-Read-Only device like a Compact Disk (CD-ROM) or a Digital Video Disk (DVD).

Each of these requires specific drive hardware.

Then nobody, not even root can change it.

waltinator
  • 1