Write permissions ignored [SOLVED]

Booting, installing, newbie
Post Reply
Message
Author
User avatar
thunor
Posts: 350
Joined: Thu 14 Oct 2010, 15:24
Location: Minas Tirith, in the Pelennor Fields fighting the Easterlings
Contact:

Write permissions ignored [SOLVED]

#1 Post by thunor »

Hi

I've used Linux for some time but I've only recently been playing with Puppy Linux. In fact with this latest 5.20 release I'm using it more than my regular installed distro; it's a great piece of work, well done.

I just attempted to stop a game from writing to its rcfile and so I set the permissions to r--r--r-- i.e. 444, but the game still kept modifying it and I did too by opening it in Geany, modifying it and saving it back out. I know that everything's root:root, but is this behaviour correct?

Cheers,
Thunor
Last edited by thunor on Mon 21 Mar 2011, 21:29, edited 1 time in total.

User avatar
thunor
Posts: 350
Joined: Thu 14 Oct 2010, 15:24
Location: Minas Tirith, in the Pelennor Fields fighting the Easterlings
Contact:

#2 Post by thunor »

Well, I guessed either I've asked a question that's been asked a million times before or I've underestimated the power of the superuser :D

I've just tested this in a regular Linux installation and indeed when you are root, permissions are ignored. You can set permissions to 000 and it makes no difference with what you can do to it. I didn't know that!

Shep
Posts: 878
Joined: Sat 08 Nov 2008, 07:55
Location: Australia

#3 Post by Shep »

Yes, operating as root poses a hazard in not having the file permissions recognized!

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#4 Post by disciple »

Maybe you can run the game as another user.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

PupGeek
Posts: 353
Joined: Sun 06 Sep 2009, 11:30

#5 Post by PupGeek »

Another idea is to make a backup copy of the *rc file named with a .bak extension and write a script to copy the backup copy to the original *rc file before executing the program in question. It will perform as though it didn't write to the *rc file because you keep going back to the earlier one. If you want to be even more sophisticated you can include an option to save any changes the program made or not in the script to run when you close the program. Shell scripting makes almost anything like that doable.

Bruce B

#6 Post by Bruce B »

How to make a file immutable. Root cannot modify it or even delete it.
Except with chattr to put attributes back.

Code block demonstrates

Code: Select all

[/mnt/sda2/lupu] chattr +i isolinux.cfg
[/mnt/sda2/lupu] lsattr
-------------- ./lupu-520.iso.md5
----i--------- ./isolinux.cfg
-------------- ./lupu-520.iso
-------------- ./boot.msg
-------------- ./help.msg
-------------- ./help2.msg
[/mnt/sda2/lupu] rm isolinux.cfg
rm: remove write-protected regular file `isolinux.cfg'? y
rm: cannot remove `isolinux.cfg': Operation not permitted
[/mnt/sda2/lupu]
~

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#7 Post by disciple »

I get this error

Code: Select all

/# chattr +i NewFile
chattr: Inappropriate ioctl for device while reading flags on NewFile
Google indicates this normally occurs when the file system is not ext2/ext3... I wonder what it means otherwise.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Bruce B

#8 Post by Bruce B »

disciple wrote:I get this error

Code: Select all

/# chattr +i NewFile
chattr: Inappropriate ioctl for device while reading flags on NewFile
Google indicates this normally occurs when the file system is not ext2/ext3... I wonder what it means otherwise.
» don't keep trying expecting to get a different result, you are stuck

» I worked around it one time by rebooting, then immediately running
the command

» Some other workaround suggestions available, if I can find a kid to
advise me

» Maybe helps if not a zero byte file, I've not tested that

~

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#9 Post by disciple »

» Maybe helps if not a zero byte file, I've not tested that
FWIW it's not a zero byte file.

I'm not worried - I was just trying it out.
It works on files on my ext3 partition, just not in my ext2 save file (which is stored on a FAT partition, although I don't think that should matter.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Bruce B

#10 Post by Bruce B »

disciple wrote:
» Maybe helps if not a zero byte file, I've not tested that
FWIW it's not a zero byte file.

I'm not worried - I was just trying it out.
It works on files on my ext3 partition, just not in my ext2 save file (which is stored on a FAT partition, although I don't think that should matter.
It matters to me. I just tried it on Lupu 5.20 with a ext3 save file stored on an ext3 partition and it didn't work.

chattr is tool used in hardening your Linux, if it doesn't work, I suppose it is not configured to work.

I'll test things by running an actual Linux live CD. But, not a Linux I expect to be crippled or missing standard functions.

I'll report back.

~
Last edited by Bruce B on Sun 20 Mar 2011, 03:46, edited 1 time in total.

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#11 Post by disciple »

FWIW if I mount my backup save file (by clicking on it in Rox) it works on files in that.

So I guess it is related to unionfs or something...
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

disciple
Posts: 6984
Joined: Sun 21 May 2006, 01:46
Location: Auckland, New Zealand

#12 Post by disciple »

Ah. Of course. Unionfs is not ext2/3, therefore it does not work. If I go to /initrd/pup_rw then it works.
Do you know a good gtkdialog program? Please post a link here

Classic Puppy quotes

ROOT FOREVER
GTK2 FOREVER

Bruce B

#13 Post by Bruce B »

disciple wrote:Ah. Of course. Unionfs is not ext2/3, therefore it does not work. If I go to /initrd/pup_rw then it works.
Interesting. Nuances, good catch and workaround.

Here are my test results

I used a Live CD (smaller than Puppy Lupu)

Filename: Bootable ISO (RIPLinux-11.6-non-X.iso)

RIP LinuX home page

The test was successful.

If thunor is still reading, the complaint is solved. Well, thunor what will it
be?

~

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#14 Post by jpeps »

disciple wrote:Ah. Of course. Unionfs is not ext2/3, therefore it does not work. If I go to /initrd/pup_rw then it works.
yeah..doesn't work on pen drive for the same reason. Interesting command though...new to me. I'm surprised it isn't used more. I can think of lots of ways to employ it (like preventing permissions from getting overwritten and breaking cups, etc)

edit: I tested on some root:nobody cups files, such as /etc/printer.conf, and the printer works. Overwriting "nobody" permissions is the most common cause of cups breaking.

amigo
Posts: 2629
Joined: Mon 02 Apr 2007, 06:52

#15 Post by amigo »

"I'll test things by running an actual Linux live CD. But, not a Linux I expect to be crippled or missing standard functions."

jpeps
Posts: 3179
Joined: Sat 31 May 2008, 19:00

#16 Post by jpeps »

This might be the key to protecting the cups permissions. I tried this, and the printer still works. For adding new printers, it could be reversed with chattr -i

(note: problems typically occur when root:nobody gets overwritten to root:root)

Code: Select all

#!/bin/sh

[ -f /tmp/list ] &&  rm /tmp/list
cd /etc/cups
ls -l | grep "nobody" | cut -d " " -f8 >>/tmp/list

cd /initrd/pup_rw/etc/cups

while read line; do
    chattr +i "$line"
done < /tmp/list

 chattr -R +i /initrd/pup_rw/var/cache/cups
 chattr -R +i  /initrd/pup_rw/var/log/cups
  
rm /tmp/list
Last edited by jpeps on Mon 21 Mar 2011, 21:32, edited 1 time in total.

User avatar
thunor
Posts: 350
Joined: Thu 14 Oct 2010, 15:24
Location: Minas Tirith, in the Pelennor Fields fighting the Easterlings
Contact:

#17 Post by thunor »

Bruce B wrote: If thunor is still reading, the complaint is solved. Well, thunor what will it
be?
Ok, I'm back :)

So, I can go through /initrd/pup_rw/root and use chattr +i and chattr -i to prevent files from being deleted, or wrap a game in a script to remove/replace its rcfile.

Interestingly I appear to have killed two birds with one stone because rkhunter (which I recently downloaded and installed) does a lsattr test which fails, dumping the same ioctl error messages as reported earlier. I couldn't find anything about this problem so currently the test is being skipped.

Thanks for the assistance. I've marked this as solved.

Bruce B

#18 Post by Bruce B »

thunor wrote: Interestingly I appear to have killed two birds with one stone.
If I knew we wanted to kill birds, I'd have brought up the subject of
shotguns and bird shot.

In South Carolina or Utah, they think something is wrong with you if you
don't have a shotgun. I like two barrels, one with a slug and the other
with shot. Who knows what kind of varmint we will run into?

In the Republic of California, they don't want you to have shotguns. They
don't even want Charlie Sheen to have any kind of gun. But he can have
all the sluts he wants. That's legal I guess, just don't shoot birds in the
City Limits of Los Angeles.

As for credit, I think disciple gets it for figuring out where to run the
command.

You could move chattr and lsattr to different names.

~

Shep
Posts: 878
Joined: Sat 08 Nov 2008, 07:55
Location: Australia

#19 Post by Shep »

Bruce B wrote:How to make a file immutable. Root cannot modify it or even delete it.
Except with chattr to put attributes back.

Code block demonstrates

Code: Select all

[/mnt/sda2/lupu] chattr +i isolinux.cfg
[/mnt/sda2/lupu] lsattr
-------------- ./lupu-520.iso.md5
----i--------- ./isolinux.cfg
-------------- ./lupu-520.iso
-------------- ./boot.msg
-------------- ./help.msg
-------------- ./help2.msg
[/mnt/sda2/lupu] rm isolinux.cfg
rm: remove write-protected regular file `isolinux.cfg'? y
rm: cannot remove `isolinux.cfg': Operation not permitted
[/mnt/sda2/lupu]
~
How interesting! Where did you find out about this command? Where have you ever had a need to use it?

Anyway, works for me. I have no idea, now, how my file system is ext3. I guess it must default to ext3?

/dev/sda6 on /mnt/sda6 type ext3 (rw,relatime,errors=continue,data=writeback)

Bruce B

#20 Post by Bruce B »

Shep wrote: How interesting! Where did you find out about this command? Where have you ever had a need to use it?
Just using Linux for about a decade.

Frequently, I read mosts from people complaining "Puppy didn't save my
[configuration] settings."

I've never responded to one of these posts. The reason why is; the
premise may be faulty.

They think Puppy didn't save the settings because when Puppy rebooted,
the saved settings were not there.

In order to determine if Puppy 'saved' the settings, the user would have
to check for changes BEFORE rebooting. I've never seen a user with the
complaint do this.

Let us consider Puppy is a portable operating system. It does not
presume it is booting on the identical hardware it was last used on.

This is why a person can take a Flash stick and boot it on another
computer.

Puppy probes and configures on each boot.

Back to the user's complaint. If he didn't check to see if the settings were
actually saved, the only thing he knows is; the saved settings were not
available on next boot.

It could very well be the settings were saved and got lost or overwritten
on boot up.

Look at all the arguing I have to do, to get the user to broaden his
premise.

I'm not going to do it. I've never presented this argument before and
don't plan to do it again.
Where have you ever had a need to use it?
If we work on the premise that Puppy can and sometimes does mess up
our configuration on boot up, we can protect ourselves.

xorg.conf and resolv.conf would be two examples of configuration files to
make immutable. That is, if we are always running on the same hardware.

If you find your volume controls get changed by xyz program, and it
annoys you, then make asound.state immutable

And of course any personal files you don't want to accidentally delete or
lose.

~

Post Reply