0

Is there a command that will deny anyone else to edit the directory I created? They also have admin rights, but I only want to let them read the file not able to edit/delete it. I know chmod commands, but that provides the permission only and anyone with root privilege can still make the changes.

James
  • 11
  • 2

3 Answers3

1

No. You cannot do anything to prevent other people with root access on the machine from modifying your files or directories. Root users have full access by definition, and any permission or ACL that you could set can be easily unset by them.

dr_
  • 28,763
  • 21
  • 89
  • 133
  • 1
    True, and of course it's silly to have lots of people with `root` access in the first place if you want to restrict their permissions. However I'll note that if you set ACLs rather than just ordinary file permissions (and perhaps set extended attributes as well to "immutable") then you've at least safeguarded against *newbies* with root access modifying your files. They would have to know what they're doing. (But this is a sort of "security through obscurity" so not reliable.) – Wildcard Jan 20 '16 at 17:38
0

Yes , there is a solution.

You should just cut the directory and place it on a server where only you have the root access and privilege. Then share that directory with all other users through NFS from that server and restrict them to read access by using root squash.

Reference:

Root squash is a reduction of the access rights for the remote superuser (root) when using identity authentication (local user is the same as remote user). It is primarily a feature of NFS but may be available on other systems as well.

This problem arises when a remote file system is shared by multiple users. These users belong to one or multiple groups. In Unix, every file and folder normally has separate permissions (read, write, execute) for the owner (normally the creator of the file), for the group to which the owner belongs, and for the "world" (all other users). This allows restriction of read and write access only to the authorized users while in general the NFS server must also be protected by firewall.

A superuser has more rights than an ordinary user, being able to change the file ownership, set arbitrary permissions, and access all protected content. Even users that do need to have root access to individual workstations may not be authorized for the similar actions on a shared file system. Root squash reduces rights of the remote root, making one no longer superuser. On UNIX like systems, root squash option can be turned on and off in /etc/exports file on a server side.

After implementing the root squash, the authorized superuser performs restricted actions after logging into an NFS server directly and not just by mounting the exported NFS folder.

Ijaz Ahmad
  • 7,146
  • 5
  • 32
  • 45
  • This is actually the best answer and the only way to do what the OP asked; however, it requires a second server where the other people do not have root access so it's a kind of a stretch. – dr_ Jan 21 '16 at 08:02
  • Yes , but this is the only way to implement that requirement. – Ijaz Ahmad Jan 21 '16 at 09:19
-1

Yes. If you make a new group and then only add you to that group you can make sure only that group can edit the file. Here's how: First use groupadd to make a new group

groupadd -g {uniqueid}{newgroupname}

Example:

groupadd -g 1234 newgroup

Now we have to add the user:

sudo usermod -G {newgroupname} {username}

Now just add the permission for that group to the file I usually use a gui for this so I don't know how to that using cli. Now this all assumes that he has the wheel group rights(Default admin group) or admin rights and not root rights in which case it's impossible.

JelloDude
  • 111
  • 5
  • And what exactly would stop the other admins from adding themselves to the group that owns the file ... ? – dr_ Jan 20 '16 at 17:26
  • You could just edit the access to the specific commands almost all linux commands are stored in /bin/ as files, so just edit their permissions so that they would not be able to access any command able to change their group or add a user with said group. – JelloDude Jan 20 '16 at 17:53
  • The root will still be able to remove/change those permissions – Ijaz Ahmad Jan 20 '16 at 18:01
  • 1
    I think root(as a superuser) can still make changes i.e. edit/delete the files. Plus I have to make the owner as Jboss/root for the script to work. – James Jan 20 '16 at 18:25
  • Read what i wrote if it's admin rights as specified and not root rights then this will work. – JelloDude Jan 20 '16 at 18:34
  • What do you mean? On Linux, root == admin. – dr_ Jan 21 '16 at 07:59
  • No it doesen't there's root who has complete control and there's admin who have power over settings and applications and files though not control over anything root. – JelloDude Jan 22 '16 at 12:39