James Wilkinson wrote:
Les wrote:
My bad... I didn't realize that would happen. I had used this on some
other OS some time ago and it did work as I stated. I should have
checked it here first. I created a test file, changed its mode to 755,
then sourced it and it did source correctly, but then I typed rm
filename and I got a prompt to let me remove a protected file and sure
enough the regular user could do that. So in Linux, anyway, I am not
sure how you can affect the user individaully other than perhaps a group
policy. This would seem to be a "loose end" in terms of control by the
admin.
You use chattr to set the immutable attribute (this needs to be done as
root). Until this attribute is removed, no-one can change or delete the
file:
A file with the ‘i’ attribute cannot be modified: it cannot be
deleted or renamed, no link can be created to this file and no data
can be written to the file. Only the superuser or a process
possessing the CAP_LINUX_IMMUTABLE capability can set or clear this
attribute.
(-- man chattr)
Hope this helps,
Ordinary permissions are enough: look at how /tmp works - you just don't
want that rwx for 'other'.
--
Les Mikesell
lesmikesell@xxxxxxxxx
