[Webinar] Streamline your web hosting managementRegister Today


Preventing non-root users from changing permission of Unix files (even if they are the owner)

Posted on 2017-10-20
Medium Priority
Last Modified: 2017-11-19
I have this issue where non-root (ie non-priv) UNIX users or even applications could
alter or create files that are world-writable & this will easily become an audit issue.

As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.

Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?

Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed?  Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.

We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.

Or is there a "find ..."  command which we can run daily to identify which files'
permissions got changed the last 1 day?
Question by:sunhux
  • 5
  • 2

Author Comment

ID: 42337977
Seems like above URL has something on this but I just don't know the exact commands to be executed to
deny owner of file from doing chmod :

o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

We can run Shell script in cron daily to flag out files whose permission was changed the last 1 day
but we can't identify who or which job/task did it : or is there a way?

Author Comment

ID: 42338006
Will be good if there's an ACL that permit "Everyone" to read/write the file
but "ls -l filename"  will not reveal it's world writable (as not many knows
about "ls -v filename"  : I'm Ok with this cheat.

I'll also need a sample command that makes it such that any files created
in the folder will auto-inherit a certain permission & ACL (prefer not to
use 'umask')

For alerting if file is being accessed, there's ACL as below but will be good
if there's ACL to write to logs if permission is changed (fr the same Oracle
link above) :

Currently, the following flags are only applicable to a CIFS client or server.
Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types.

Author Comment

ID: 42338104
Will the following ACL meet my need & if so, give the exact command to arrive at following ACL :

ls -v file.1
-rw-r--r--   1 appguy    appgroup      206663 Aug 31 11:53 file.1
     2:owner@:write_owner:deny  <==
         :allow  <==  this allow world-writable  but still wont flag out in "ls -l file.1" that it is world-writable?
Will You Be GDPR Compliant by 5/28/2018?

GDPR? That's a regulation for the European Union. But, if you collect data from customers or employees within the EU, then you need to know about GDPR and make sure your organization is compliant by May 2018. Check out our preparation checklist to make sure you're on track today!

LVL 22

Assisted Solution

by:David Favor
David Favor earned 500 total points
ID: 42338105
This will only occur if you're using some sort of custom permission settings.

If you use a standard Distro, like Ubuntu + setup your user creation skeletons correctly, then users will only have access to their own files + even if they create a world readable file, if their /home directory is setup to 700, no other user can read these files.

Likely good to take this approach, to lock down user files from each other.

https://superuser.com/questions/303910/ubuntu-default-access-mode-permissions-for-users-home-dir-home-user provides a good overview of skeleton settings along with logins.def which together can be used to lock down user files, by default... meaning each new user's files are locked down, without you have to take any additional admin actions.

Author Comment

ID: 42338923
Did not quite address how to prevent file owners from changing permission of file.

Any free tools for Solaris n AIX to help with this?
LVL 32

Assisted Solution

serialband earned 1500 total points
ID: 42339757
A simpler way might be to remove access to the chmod command and give it only to root.
chmod 700 /bin/chmod

Author Comment

ID: 42345618
Ok this will restrict the 'chmod' to only root users.  However, I still have this issue where the apps files need to be writable to their apps : what tool can I use to check which process is writing to the file & can review if my ACL above is syntactically Ok & workable?
LVL 32

Accepted Solution

serialband earned 1500 total points
ID: 42345624
You can use suid or sgid along with the sticky bit to control app access to their respective files.  https://en.wikipedia.org/wiki/Setuid

lsof is the command to find open files and the associated process.

Featured Post

Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

With more and more companies allowing their employees to work remotely, it begs the question: What are some of the security risks involved with remote employees and what actions should we take to secure them?
Although free tools can be helpful to a limited extent, it’s better to stick to paid versions for business use.
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Suggested Courses

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question