You can set the "immutable" attribute with most filesystems in Linux.
chattr +i foo/bar
To remove the immutable attribute, you use -
instead of +
:
chattr -i foo/bar
To see the current attributes for a file, you can use lsattr:
lsattr foo/bar
The chattr(1) manpage provides a description of all the available attributes. Here is the description for i
:
A file with the `i' attribute cannot be modified: it cannot be deleted
or renamed, no link can be created to this file and no data can be
written to the file. Only the superuser or a process possessing the
CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
Only root has the permission to change the ownership of files. Reasonably modern versions of Linux provide the CAP_CHOWN
capability; a user who has this capability may also change the ownership of arbitrary files. CAP_CHOWN
is global, once granted, it applies to any file in a local file system.
Group ownership may be changed by the file owner (and root). However, this is restricted to the groups the owner belongs to. So if user U belongs to groups A, B, and C but not to D, then U may change the group of any file that U owns to A, B, or C, but not to D. If you seek for arbitrary changes, then CAP_CHOWN
is the way to go.
CAUTION CAP_CHOWN
has severe security implications, a user with a shell that has capability CAP_CHOWN
could get root privileges. (For instance, chown
libc to yourself, patch in your Trojan Horses, chown
it back and wait for a root process to pick it up.)
Since you want to restrict the ability to change ownership to certain directories, none of the readily available tools will aid you. Instead you may write your own variant of chown
that takes care of the intended restrictions. This program needs to have capability CAP_CHOWN
e.g.
setcap cap_chown+ep /usr/local/bin/my_chown
CAUTION
Your program will probably mimic the genuine chown
, e.g. my_chown
user:group filename(s)
. Do perform your input validation very carefully. Check that each file satisfies the intended restrictions, particularly, watch out for soft links that point out of bounds.
If you want to restrict access your program to certain users, you may either create a special group, set group ownership of my_chown
to this group, set permissions to 0750, and add all users that are permitted to this group. Alternatively you may use sudo
with suitable rules (in this case you also don't need capability magic). If you need even more flexibility, then you need to code the rules you have in mind into my_chown
.
Best Answer
That's normal.
passwd
doesn't need read/write permissions as it's got the suid bit set, runs as root.More info at Stackexchange "How does the 'passwd' command gain root user permissions?" if you want it.