Preventing non-root users from changing permission of Unix files (even if they are the owner)

I have this issue where non-root (ie non-priv) UNIX users or even applications could
alter or create files that are world-writable & this will easily become an audit issue.

As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.

Q1:
Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?

Q2:
Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed?  Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.


We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.

Or is there a "find ..."  command which we can run daily to identify which files'
permissions got changed the last 1 day?
sunhuxAsked:
Who is Participating?
 
serialbandCommented:
You can use suid or sgid along with the sticky bit to control app access to their respective files.  https://en.wikipedia.org/wiki/Setuid

lsof is the command to find open files and the associated process.
0
 
sunhuxAuthor Commented:
https://docs.oracle.com/cd/E19120-01/open.solaris/817-2271/ftyxi/index.html
Seems like above URL has something on this but I just don't know the exact commands to be executed to
deny owner of file from doing chmod :

write_owner
==========
 
o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.


We can run Shell script in cron daily to flag out files whose permission was changed the last 1 day
but we can't identify who or which job/task did it : or is there a way?
0
 
sunhuxAuthor Commented:
Will be good if there's an ACL that permit "Everyone" to read/write the file
but "ls -l filename"  will not reveal it's world writable (as not many knows
about "ls -v filename"  : I'm Ok with this cheat.

I'll also need a sample command that makes it such that any files created
in the folder will auto-inherit a certain permission & ACL (prefer not to
use 'umask')


For alerting if file is being accessed, there's ACL as below but will be good
if there's ACL to write to logs if permission is changed (fr the same Oracle
link above) :

Currently, the following flags are only applicable to a CIFS client or server.
successful_access
===============
Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

 
sunhuxAuthor Commented:
Will the following ACL meet my need & if so, give the exact command to arrive at following ACL :

ls -v file.1
-rw-r--r--   1 appguy    appgroup      206663 Aug 31 11:53 file.1
     0:owner@:execute:deny
     1:owner@:read_data/write_data/append_data/write_xattr/write_attributes
         /write_acl:allow
     2:owner@:write_owner:deny  <==
     3:group@:write_data/append_data/execute:deny
     4:group@:read_data:allow
     5:everyone@:write_data/append_data/write_xattr/execute/write_attributes
         :allow  <==  this allow world-writable  but still wont flag out in "ls -l file.1" that it is world-writable?
     6:everyone@:write_acl/write_owner:deny
     7:everyone@:read_data/read_xattr/read_attributes/read_acl/synchronize
         :allow
0
 
David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This will only occur if you're using some sort of custom permission settings.

If you use a standard Distro, like Ubuntu + setup your user creation skeletons correctly, then users will only have access to their own files + even if they create a world readable file, if their /home directory is setup to 700, no other user can read these files.

Likely good to take this approach, to lock down user files from each other.

https://superuser.com/questions/303910/ubuntu-default-access-mode-permissions-for-users-home-dir-home-user provides a good overview of skeleton settings along with logins.def which together can be used to lock down user files, by default... meaning each new user's files are locked down, without you have to take any additional admin actions.
0
 
sunhuxAuthor Commented:
Did not quite address how to prevent file owners from changing permission of file.

Any free tools for Solaris n AIX to help with this?
0
 
serialbandCommented:
A simpler way might be to remove access to the chmod command and give it only to root.
chmod 700 /bin/chmod
0
 
sunhuxAuthor Commented:
Ok this will restrict the 'chmod' to only root users.  However, I still have this issue where the apps files need to be writable to their apps : what tool can I use to check which process is writing to the file & can review if my ACL above is syntactically Ok & workable?
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.