The immutable bit (was: chattr)
bscott at ntisys.com
bscott at ntisys.com
Sun Feb 16 10:45:36 EST 2003
On Thu, 13 Feb 2003, at 2:39pm, alfalfa at fcgnetworks.net wrote:
> > I'm really curious how often people play with the immutable bit ...
>
> ... I, too, am interested in knowing more about the immutable bit. ...
The "immutable bit" is a non-standard extension to the EXT2/3 filesystem
which, when set, causes the filesystem driver to deny any attempt at changing
a file. Standard Unix permission modes (read/write/execute for
user/group/other) are routinely automatically overridden by programs like
"rm" and "tar", and they are simply ignored for the "root" user. The
immutable bit, in contrast, cannot be ignored, even by the root user, and
most software is not aware of it.
The result is that one can use the immutable bit to mark a file with "Thou
Shalt Not Change This". Application is, by its very nature, highly specific
to each system. For example, maybe you've got a production system that
should never have its accounts changed, so you might set the "/etc/passwd"
file immutable to keep even "root" from accidentally changing it.
The immutable bit is less useful for system hardening, because it is
trivially easy for an attacker to remove the immutable bit. Many rootkits
automatically do just that, and additionally set the immutable bit on files
they modify or install, in an attempt to confound admins ignorant of the
immutable bit. This is not to say that one should not use the immutable bit
as one part of a defense-in-depth strategy; just that one shouldn't depend
on it for security. It's purpose is more to protect against accidental
modifications than deliberate attack.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list