Preventing non-root users from changing permission of Unix files (even if they are the owner)

I have this issue where non-root (ie non-priv) UNIX users or even applications could
alter or create files that are world-writable & this will easily become an audit issue.

As the creator/owner, they can always change the file permission using chmod.
"umask" can set the default settings for files created but this will not stop them
from altering it subsequently.

Can provide sample ACLs or any method such that even owners of files can't alter
the UNIX file permission?

Is there any way without using paid products (OpenSource is fine) to alert us if
file permissions are being changed?  Sort of File Integrity Monitoring but we
don't want to be alerted/notified if file content or dates are changed, only if
permission is changed.

We run Solaris 10 & 11 (both have ACL features) & AIX 6.x/7.x and RHEL 7.x.

Or is there a "find ..."  command which we can run daily to identify which files'
permissions got changed the last 1 day?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

sunhuxAuthor Commented:
Seems like above URL has something on this but I just don't know the exact commands to be executed to
deny owner of file from doing chmod :

o Permission to change the file's owner or group. Or, the ability to execute the chown or chgrp commands on the file.

Permission to take ownership of a file or permission to change the group ownership of the file to a group of which the user is a member. If you want to change the file or group ownership to an arbitrary user or group, then the PRIV_FILE_CHOWN privilege is required.

We can run Shell script in cron daily to flag out files whose permission was changed the last 1 day
but we can't identify who or which job/task did it : or is there a way?
sunhuxAuthor Commented:
Will be good if there's an ACL that permit "Everyone" to read/write the file
but "ls -l filename"  will not reveal it's world writable (as not many knows
about "ls -v filename"  : I'm Ok with this cheat.

I'll also need a sample command that makes it such that any files created
in the folder will auto-inherit a certain permission & ACL (prefer not to
use 'umask')

For alerting if file is being accessed, there's ACL as below but will be good
if there's ACL to write to logs if permission is changed (fr the same Oracle
link above) :

Currently, the following flags are only applicable to a CIFS client or server.
Indicates whether an alarm or audit record should be initiated upon a successful access. This flag is used with audit or alarm ACE types.
sunhuxAuthor Commented:
Will the following ACL meet my need & if so, give the exact command to arrive at following ACL :

ls -v file.1
-rw-r--r--   1 appguy    appgroup      206663 Aug 31 11:53 file.1
     2:owner@:write_owner:deny  <==
         :allow  <==  this allow world-writable  but still wont flag out in "ls -l file.1" that it is world-writable?
Virus Depot: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. View our webinar recording to learn how to best defend against these attacks!

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
This will only occur if you're using some sort of custom permission settings.

If you use a standard Distro, like Ubuntu + setup your user creation skeletons correctly, then users will only have access to their own files + even if they create a world readable file, if their /home directory is setup to 700, no other user can read these files.

Likely good to take this approach, to lock down user files from each other. provides a good overview of skeleton settings along with logins.def which together can be used to lock down user files, by default... meaning each new user's files are locked down, without you have to take any additional admin actions.
sunhuxAuthor Commented:
Did not quite address how to prevent file owners from changing permission of file.

Any free tools for Solaris n AIX to help with this?
A simpler way might be to remove access to the chmod command and give it only to root.
chmod 700 /bin/chmod
sunhuxAuthor Commented:
Ok this will restrict the 'chmod' to only root users.  However, I still have this issue where the apps files need to be writable to their apps : what tool can I use to check which process is writing to the file & can review if my ACL above is syntactically Ok & workable?
You can use suid or sgid along with the sticky bit to control app access to their respective files.

lsof is the command to find open files and the associated process.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Security

From novice to tech pro — start learning today.