locking down gnome.
der.hans
PLUGd@LuftHans.com
Thu, 23 Nov 2000 07:40:21 -0700 (MST)
Am 22. Nov, 2000 schwäzte Deepak Saxena so:
> not if you change user:group of .gnome and .gnome-desktop to someone
> else and than chmod 755 on it. the user can't delete it or move it
> since he doesn't own it.
If it's in a dir I own I can move it, including rm it. dir perms allow me
to use mv and rm even though I can't actually change the file. ( see
below, however, for earth-shaking, breaking news ;-)
lufthans@LuftHans:~/tmp/fred$ mkdir .gnome
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-sr-x 2 lufthans lufthans 4096 Nov 23 07:19 .gnome/
lufthans@LuftHans:~/tmp/fred$
LuftHans:/home/lufthans/tmp/fred# chown root.root .gnome/
LuftHans:/home/lufthans/tmp/fred# chmod 755 .gnome/
LuftHans:/home/lufthans/tmp/fred# ls -ld .gnome/
drwxr-xr-x 2 root root 4096 Nov 23 07:19 .gnome/
LuftHans:/home/lufthans/tmp/fred#
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-xr-x 2 root root 4096 Nov 23 07:19 .gnome/
lufthans@LuftHans:~/tmp/fred$ mv .gnome .dwarf
lufthans@LuftHans:~/tmp/fred$ ls -la
total 12
drwxr-sr-x 3 lufthans lufthans 4096 Nov 23 07:20 .
drwxr-sr-x 3 lufthans lufthans 4096 Nov 23 07:16 ..
drwxr-xr-x 2 root root 4096 Nov 23 07:19 .dwarf
lufthans@LuftHans:~/tmp/fred$ rm -rf .dwarf/
lufthans@LuftHans:~/tmp/fred$ id
uid=2112(lufthans) gid=2112(lufthans) groups=2112(lufthans),24(cdrom),29(audio)
lufthans@LuftHans:~/tmp/fred$
Ah, but there is a way to make it stick :). This might be be a bit
extreme, but the immutable flag will protect things.
lufthans@LuftHans:~/tmp/fred$ mkdir .gnome
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-sr-x 2 lufthans lufthans 4096 Nov 23 07:28 .gnome/
lufthans@LuftHans:~/tmp/fred$
LuftHans:/home/lufthans/tmp/fred# chown root.root .gnome/
LuftHans:/home/lufthans/tmp/fred# chmod 755 .gnome/
LuftHans:/home/lufthans/tmp/fred# chattr +i .gnome/
LuftHans:/home/lufthans/tmp/fred# ls -ld .gnome/
drwxr-xr-x 2 root root 4096 Nov 23 07:28 .gnome/
LuftHans:/home/lufthans/tmp/fred#
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-xr-x 2 root root 4096 Nov 23 07:28 .gnome/
lufthans@LuftHans:~/tmp/fred$ mv .gnome/ .dwarf
mv: cannot remove directory `.gnome/': Operation not permitted
mv: cannot remove `.gnome/': Operation not permitted
lufthans@LuftHans:~/tmp/fred$ rm -rf .gnome/
rm: cannot remove directory `.gnome': Operation not permitted
lufthans@LuftHans:~/tmp/fred$
Note: only dirs the user could write to would need chattrd, e.g. the top
dirs and dirs gnome has to be able to write to.
ciao,
der.hans
--
# der.hans@LuftHans.com home.pages.de/~lufthans/ www.Opnix.com
# It's up to the reader to make the book interesting.
# An author has only the opportunity to make it uninteresting. - der.hans