How to restrict root user to access or modify a file and directory in Linux


Linux, How To, Security

In my last article I shared the steps to harden security of your Linux node by encrypting the hard disk partition using LUKS. Now let me show some more tweaks to increase security of your Linux setup.

Now in this article I will show you steps to prevent or restrict access of root user to access certain files or directories. Now by default root is the super user who has access to all the files and directories available on the Linux node but it is also possible to restrict even a root user from accessing and modifying the content of a file or directory.

You can restrict root user from accessing and modifying a file or directory using extended file attributes. We will be dealing with chattr and lsattr to achieve this in our demonstration.
Now chattr - change file attributes on a Linux file system, supports multiple options but we will be concentrating only on the options which can help restrict root user access on certain files and directories.

How to restrict root user to access or modify a file and directory in Linux (1)

NOTE:
In this article I will use the reference term as we are preventing root access to certain files and directories but this does not means that any other system user will be allowed to access such files with extended attributes. Once extended attributes are set to restrict the access, none of the system user can access these files or directories unless the restriction is removed.

To get the complete list of options supported with chattr you can view the man page of chattr using below command

# man chattr

We will work with two attributes
a:

  • Append text to a file
  • Can't overwrite

i:

  • Makes a file immutable
  • Can't be deleted or changed in any way

 

Create a secret file and directory

Now before we start we must have a top secret file which needs protection from root user. I have created a secret_file with below text

[root@node1 ~]# cat /tmp/deepak/secret_file
This is a secret file

 

Check the assigned attributes

By default when we create a file or directory, it does not has any extended attributes other than "e" which means extent format i.e. these files support extended attributes

[root@node1 ~]# lsattr /tmp/
-------------e-- /tmp/tracker-extract-files.0
-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.7ocUW8.yumtx
-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-chronyd.service-FhlC0B
-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-bolt.service-2Oomt7
-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-rtkit-daemon.service-TEwKlB
-------------e-- /tmp/deepak
-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-colord.service-cUfgTm
-------------e-- /tmp/yum_save_tx.2019-03-22.22-16.ZCjaVi.yumtx
-------------e-- /tmp/systemd-private-1ad03926d17f4de68a8fdfdd0449c980-cups.service-5yacYU

 

Restrict access and allow only to append content

Now we will use "+a" to allow root user to append some data to our secret file but root won't be allowed to overwrite the file.

[root@node1 ~]# chattr +a /tmp/deepak/secret_file

Check the assigned attributes and as you see now we have "a" also assigned to our secret_file

[root@node1 ~]# lsattr /tmp/deepak/
-----a-------e-- /tmp/deepak/secret_file

Next try to append some data to this file

[root@node1 ~]# echo "I am appending some more content" >> /tmp/deepak/secret_file

Looks like it worked as expected, verify the same

[root@node1 ~]# cat /tmp/deepak/secret_file
This is a secret file
I am appending some more content

So, as you see now our secret file has some more content.

Let us try to overwrite the data

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file
-bash: /tmp/deepak/secret_file: Operation not permitted

As expected the extended attributes didn't allowed me to overwrite the data.

 

Make the file immutable (restrict all activity)

Now let us make the file immutable so no change at all can be made to this file.

[root@node1 ~]# chattr +i /tmp/deepak/secret_file

Check the applied attributes

[root@node1 ~]# lsattr /tmp/deepak/secret_file
----ia-------e-- /tmp/deepak/secret_file

As you see both "a" and "i" are applied to our secret file but since "i" serves our purpose we do not need "a" here so we will remove the "a" attribute

[root@node1 ~]# chattr -a /tmp/deepak/secret_file

Next verify the applied attributes again

[root@node1 ~]# lsattr /tmp/deepak/secret_file
----i--------e-- /tmp/deepak/secret_file

Next I will try to overwrite the data of this file and will also attempt to remove this file

[root@node1 ~]# echo "I am trying to overwrite the content" > /tmp/deepak/secret_file
-bash: /tmp/deepak/secret_file: Permission denied

[root@node1 ~]# rm -f /tmp/deepak/secret_file
rm: cannot remove โ€˜/tmp/deepak/secret_fileโ€™: Operation not permitted

But as you see due to the extended attributes the system does not allows root user to perform any activity on this file.

Instead of file you can also apply these attributes at directory level to protect all the files under the respective directory.

 

Remove extended attributes

To remove an extended attributes as I also showed in above step use minus sign along with the option

# chattr -a <file/directory>
# chattr -i <file/directory>

 

Lastly I hope the steps from the article to prevent or restrict root user access on files and directories on Linux was helpful. So, let me know your suggestions and feedback using the comment section.

Deepak Prasad

Deepak Prasad

He is the founder of GoLinuxCloud and brings over a decade of expertise in Linux, Python, Go, Laravel, DevOps, Kubernetes, Git, Shell scripting, OpenShift, AWS, Networking, and Security. With extensive experience, he excels in various domains, from development to DevOps, Networking, and Security, ensuring robust and efficient solutions for diverse projects. You can connect with him on his LinkedIn profile.

Can't find what you're searching for? Let us assist you.

Enter your query below, and we'll provide instant results tailored to your needs.

If my articles on GoLinuxCloud has helped you, kindly consider buying me a coffee as a token of appreciation.

Buy GoLinuxCloud a Coffee

For any other feedbacks or questions you can send mail to admin@golinuxcloud.com

Thank You for your support!!

3 thoughts on “How to restrict root user to access or modify a file and directory in Linux”

  1. But the root user could remove these attribute as well ๐Ÿ™‚ There is no way to prevent from root user eventually….

    Reply
  2. Hi,

    I know this thread could be old, but I wonder the usefulness of these commands as long as the root user can do both restrict/unrestrict the access…is there logging for chattr to know who did what?

    thanks
    Suheil

    Reply

Leave a Comment