While logged in, I can do the following:
mkdir foo
touch foo/bar
chmod 400 foo/bar
chmod 500 foo
Then I can open vim (not as root
), edit bar
, force a write with w!
, and the file is modified.
How can I make the operating system disallow any file modification?
UPDATE Mar 02 2017
chmod 500 foo
is a red herring: the write permission on a directory has nothing to do with the ability to modify a file's contents--only the ability to create and delete files.chmod 400 foo/bar
does in fact prevent the file's contents from being changed. But, it does not prevent a file's permissions from being changed--a file's owner can always change his file's permissions (assuming they can access the file i.e. execute permission on all ancestor directories). In fact, strace(1) reveals that this is what vim (7.4.576 Debian Jessie) is doing--vim calls chmod(2) to temporarily add the write permission for the file's owner, modifies the file, and then calls chmod(2) again to remove the write permission. That is why usingchattr +i
works--only root can callchattr -i
. Theoretically, vim (or any program) could do the same thing with chattr as it does with chmod on an immutable file if run as root.
vim
is actually changing the permissions and then putting it back. – jordanm Mar 10 '13 at 22:15root
? – Alvin Wong Mar 11 '13 at 01:47