I have file with 777 permission. How can I prevent changing ownership of that file by others? ie I need to prevent chown x:y myfile
myfile is actually a log file written from web. it's ownership is www-data.
Asked
Active
Viewed 1,765 times
0
Harikrishnan
- 1,057
- 2
- 14
- 31
-
4why do you have a file with 777 permissions ? – Sirex Mar 31 '15 at 06:22
-
Not sure it can be done, but this link highlights some features like sticky bits and immutable files which may help. http://www.ibm.com/developerworks/library/l-lpic1-v3-104-5/ – hookenz Mar 31 '15 at 06:27
-
2Don't use 777, setup acls, and do this the right way... – Zoredache Mar 31 '15 at 06:40
1 Answers
4
Only root can change ownership of the file, so you don't have to worry about that.
You do however have to worry about the permissions. A logfile shouldn't be world writable. You don't want everybody to write the file in arbitrary ways. You only want them to append to the file. You cannot do that with conventional unix permissions, but you have other options.
You may be able to achieve this with ACLs. Otherwise this question has information about making a file append-only for everyone and not just others.
An even better approach may be to do your logging through syslog.
-
Only root can change ownership of the file -- but if the file is in a directory where the attacker has write permission, then that attacker can rename the file to something else and create a new file owned by himself with the original name. The attacker did not really change the ownership of the file, but the effect is almost the same. Of course, you should not have drwxrwxrwx any more than you should have -rwxrwxrwx! Only the drwxrwxrwt is acceptable (and only because legitimate programs use /tmp). – Law29 Dec 21 '15 at 21:39