sunhux
asked on
Preventing non-root users from changing permission of Unix files (even if they are the owner)
I have this issue where non-root (ie non-priv) UNIX users or even applications could
alter or create files that are world-writable & this will easily become an audit issue.
As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.
Q1:
Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?
Q2:
Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed? Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.
We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.
Or is there a "find ..." command which we can run daily to identify which files'
permissions got changed the last 1 day?
alter or create files that are world-writable & this will easily become an audit issue.
As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.
Q1:
Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?
Q2:
Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed? Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.
We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.
Or is there a "find ..." command which we can run daily to identify which files'
permissions got changed the last 1 day?
ASKER
Will be good if there's an ACL that permit "Everyone" to read/write the file
but "ls -l filename" will not reveal it's world writable (as not many knows
about "ls -v filename" : I'm Ok with this cheat.
I'll also need a sample command that makes it such that any files created
in the folder will auto-inherit a certain permission & ACL (prefer not to
use 'umask')
For alerting if file is being accessed, there's ACL as below but will be good
if there's ACL to write to logs if permission is changed (fr the same Oracle
link above) :
Currently, the following flags are only applicable to a CIFS client or server.
successful_access
===============
Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types.
but "ls -l filename" will not reveal it's world writable (as not many knows
about "ls -v filename" : I'm Ok with this cheat.
I'll also need a sample command that makes it such that any files created
in the folder will auto-inherit a certain permission & ACL (prefer not to
use 'umask')
For alerting if file is being accessed, there's ACL as below but will be good
if there's ACL to write to logs if permission is changed (fr the same Oracle
link above) :
Currently, the following flags are only applicable to a CIFS client or server.
successful_access
===============
Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types.
ASKER
Will the following ACL meet my need & if so, give the exact command to arrive at following ACL :
ls -v file.1
-rw-r--r-- 1 appguy appgroup 206663 Aug 31 11:53 file.1
0:owner@:execute:deny
1:owner@:read_data/write_d
/write_acl:allow
2:owner@:write_owner:deny <==
3:group@:write_data/append
4:group@:read_data:allow
5:everyone@:write_data/app
:allow <== this allow world-writable but still wont flag out in "ls -l file.1" that it is world-writable?
6:everyone@:write_acl/writ
7:everyone@:read_data/read
:allow
ls -v file.1
-rw-r--r-- 1 appguy appgroup 206663 Aug 31 11:53 file.1
0:owner@:execute:deny
1:owner@:read_data/write_d
/write_acl:allow
2:owner@:write_owner:deny <==
3:group@:write_data/append
4:group@:read_data:allow
5:everyone@:write_data/app
:allow <== this allow world-writable but still wont flag out in "ls -l file.1" that it is world-writable?
6:everyone@:write_acl/writ
7:everyone@:read_data/read
:allow
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Did not quite address how to prevent file owners from changing permission of file.
Any free tools for Solaris n AIX to help with this?
Any free tools for Solaris n AIX to help with this?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Ok this will restrict the 'chmod' to only root users. However, I still have this issue where the apps files need to be writable to their apps : what tool can I use to check which process is writing to the file & can review if my ACL above is syntactically Ok & workable?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Seems like above URL has something on this but I just don't know the exact commands to be executed to
deny owner of file from doing chmod :
write_owner
==========
o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.
Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.
We can run Shell script in cron daily to flag out files whose permission was changed the last 1 day
but we can't identify who or which job/task did it : or is there a way?