Tuesday, May 24, 2016

Linux Password Trick With Immutable Bit Using chattr Command

                                                            Linux Cheat Sheat
Linux Password Trick With Immutable Bit Using chattr Command
What is an immutable attribute on a Linux?
A file with an immutable attribute cannot be:
Modified
Deleted
Renamed
No soft or hard link created by anyone including root user.
Only the root (superuser) or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute. Use the lsattr command to list file attributes on a Linux second extended file system that you set with the chattr command.
How to make a Linux File unchangeable ( unalterable ) so that no one can modify it
First, you need to login as root user. Only root user can set and remove immutable flag on a file. The syntax is:
chattr +i file
chattr +i /path/to/filename
Type the following command to write protect /etc/shadow file on a Linux: chattr +i /etc/shadow
Now, login as the normal user (say vivek) and type the passwd command to change password:
$ passwd
Changing password for user vivek.
Changing password for vivek
(current) UNIX password: OLDPASSWED
New password: NEWPASSWD
Retype new password: NEWPASSWD
passwd: all authentication tokens updated successfully.
Logout and try to login with the new password. However, system will not accept your new password. You still need to use the old password.
To get the list of Linux second extended file system using the lsatter command (run as the root user ):
# lsattr /etc/shadow
----i-------- /etc/shadow
Please note that even root user is not allowed to change the password. You can remove the attribute using the following command (again must be run as the root user):
chattr -i /etc/shadow
lsattr /etc/shadow
Sample outputs:
------------- /etc/shadow
  • Securing mount points on a Linux
Want to write protect the entire mount point so that no one can add or delete files including root user? Try:
# secure partition mounted at /securebackup location ##
chattr +i -R /securebackup
lsattr -d /securebackup
lsattr -l /securebackup
cd /securebackup
## Try to add or delete something ##
echo "test" > foo.txt
mkdir foo
ls -l
rm SeaToolsDOS223ALL.ISO
## Remove it again ##
cd /
chattr -i -R /securebackup
lsattr -d /securebackup

The -R  option recursively change attributes of directories and their contents. This is useful to protect web server DocumentRoot or other publicly accessible directory over sftp/ftp.

No comments:

Post a Comment