locking down gnome.

der.hans PLUGd@LuftHans.com
Thu, 23 Nov 2000 07:40:21 -0700 (MST)


Am 22. Nov, 2000 schwäzte Deepak Saxena so:

> not if you change user:group of .gnome and .gnome-desktop to someone
> else and than chmod 755 on it.  the user can't delete it or move it
> since he doesn't own it.

If it's in a dir I own I can move it, including rm it. dir perms allow me
to use mv and rm even though I can't actually change the file. ( see
below, however, for earth-shaking, breaking news ;-)

lufthans@LuftHans:~/tmp/fred$ mkdir .gnome
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-sr-x    2 lufthans lufthans     4096 Nov 23 07:19 .gnome/
lufthans@LuftHans:~/tmp/fred$ 

LuftHans:/home/lufthans/tmp/fred# chown root.root .gnome/
LuftHans:/home/lufthans/tmp/fred# chmod 755 .gnome/
LuftHans:/home/lufthans/tmp/fred# ls -ld .gnome/
drwxr-xr-x    2 root     root         4096 Nov 23 07:19 .gnome/
LuftHans:/home/lufthans/tmp/fred# 

lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-xr-x    2 root     root         4096 Nov 23 07:19 .gnome/
lufthans@LuftHans:~/tmp/fred$ mv .gnome .dwarf
lufthans@LuftHans:~/tmp/fred$ ls -la
total 12
drwxr-sr-x    3 lufthans lufthans     4096 Nov 23 07:20 .
drwxr-sr-x    3 lufthans lufthans     4096 Nov 23 07:16 ..
drwxr-xr-x    2 root     root         4096 Nov 23 07:19 .dwarf
lufthans@LuftHans:~/tmp/fred$ rm -rf .dwarf/
lufthans@LuftHans:~/tmp/fred$ id
uid=2112(lufthans) gid=2112(lufthans) groups=2112(lufthans),24(cdrom),29(audio)
lufthans@LuftHans:~/tmp/fred$ 

Ah, but there is a way to make it stick :). This might be be a bit
extreme, but the immutable flag will protect things.

lufthans@LuftHans:~/tmp/fred$ mkdir .gnome
lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-sr-x    2 lufthans lufthans     4096 Nov 23 07:28 .gnome/
lufthans@LuftHans:~/tmp/fred$ 

LuftHans:/home/lufthans/tmp/fred# chown root.root .gnome/
LuftHans:/home/lufthans/tmp/fred# chmod 755 .gnome/
LuftHans:/home/lufthans/tmp/fred# chattr +i .gnome/
LuftHans:/home/lufthans/tmp/fred# ls -ld .gnome/
drwxr-xr-x    2 root     root         4096 Nov 23 07:28 .gnome/
LuftHans:/home/lufthans/tmp/fred# 

lufthans@LuftHans:~/tmp/fred$ ls -ld .gnome/
drwxr-xr-x    2 root     root         4096 Nov 23 07:28 .gnome/
lufthans@LuftHans:~/tmp/fred$ mv .gnome/ .dwarf
mv: cannot remove directory `.gnome/': Operation not permitted
mv: cannot remove `.gnome/': Operation not permitted
lufthans@LuftHans:~/tmp/fred$ rm -rf .gnome/
rm: cannot remove directory `.gnome': Operation not permitted
lufthans@LuftHans:~/tmp/fred$ 

Note: only dirs the user could write to would need chattrd, e.g. the top
dirs and dirs gnome has to be able to write to.

ciao,

der.hans
-- 
#  der.hans@LuftHans.com   home.pages.de/~lufthans/   www.Opnix.com
# It's up to the reader to make the book interesting.
# An author has only the opportunity to make it uninteresting. - der.hans