Good time of the day.
Historically, it so happened that for my small projects I keep a virtual machine. However, since I do not use its resources 100%, I decided not to be greedy and let a few friends hang out. There are not many sites, I don’t take money for hosting, so I considered it too much to install something like cpanel. Besides, I'm one of those who prefer to set everything up manually. I chose the following structure:
/home/hostuser/vhosts/sitename.ru/(tmp,web,logs)
And then the question arose: how to prevent the user from deleting / renaming folders in sitename.ru? If the folder is missing web, then both apache and nginx will issue a warning, but will still boot. But if delete/move the folder logs, then both apache and nginx will not start due to an error (quite strange behavior for me). Folder hostuser wholly owned given user and his personal group hostuser:hostuser), which means that if desired, he will be able to delete any internal folder / file, even if it belongs to the superuser. So how can you disable deletion/relocation so that the user (accidentally or on purpose) does not break the entire hosting?
After a short googling, the solution was found. In addition to standard permissions and acl, in file systems like ext2, ext3, ext4, additional attributes can be set for a file. Read more about all attributes on Wiki , or man chattr . We are interested in the attribute immutable. This attribute for a file or folder can only be set by the superuser. If assign attribute immutable to the file, then given file it will not be possible to change or delete (and even the superuser will not be able to do this until he removes this attribute). If assign attribute immutable to the folder, then this folder it will not be possible to delete, and it will also be impossible to change the structure inside it. Thus, it turns out that if we need to protect the folder sitename.ru and the structure inside it, we need to execute a simple command:
Chattr +i /home/hostuser/vhosts/sitename.ru
To remove an attribute, you must use the flag -i.
If you only need to protect one folder (for example, logs), you can do the following:
Touch /home/hostuser/vhosts/sitename.ru/logs/.keep chattr +i /home/hostuser/vhosts/sitename.ru/logs/.keep
Actually, this is how you can put "protection from a fool" (even with superuser rights).
Thank you for your attention.
Paying attention!
It is important to understand that this article not about information security. Castle on mailbox- This Information Security
. The glass on the fire alarm button is foolproof.
If you create a .keep file and give it an attribute -i, the folder itself can be moved, and the file can be moved. You cannot delete the file itself and the folder structure before this file.
If you require a stronger level of security, use the attribute immutable together with mount --bind. Using this bundle, you can configure protection against intentional changes to the structure.
The prohibition of deletion allows you to store data indefinitely due to legal or other obligations.
If the user deletes data subject to such prohibition, they will disappear from his folders, but will be saved in the Vault. While the ban is in effect, this data can be found and exported.
After creating a file deletion prohibition, they will be visible to the user, even if the retention rule requires their deletion.
The scope of the ban depends on how it is configured
Files on shared drives are not saved in the following cases.
You can change individual barring options, but not the data type.
Good time of the day.
Historically, it so happened that for my small projects I keep a virtual machine. However, since I do not use its resources 100%, I decided not to be greedy and let a few friends hang out. There are not many sites, I don’t take money for hosting, so I considered it too much to install something like cpanel. Besides, I'm one of those who prefer to set everything up manually. I chose the following structure:
/home/hostuser/vhosts/sitename.ru/(tmp,web,logs)
And then the question arose: how to prevent the user from deleting / renaming folders in sitename.ru? If the folder is missing web, then both apache and nginx will issue a warning, but will still boot. But if delete/move the folder logs, then both apache and nginx will not start due to an error (quite strange behavior for me). Folder hostuser fully owned by this user and his personal group ( hostuser:hostuser), which means that if desired, he will be able to delete any internal folder / file, even if it belongs to the superuser. So how can you disable deletion/relocation so that the user (accidentally or on purpose) does not break the entire hosting?
After a short googling, the solution was found. In addition to standard permissions and acl, in file systems like ext2, ext3, ext4, additional attributes can be set for a file. Read more about all attributes on Wiki , or man chattr . We are interested in the attribute immutable. This attribute for a file or folder can only be set by the superuser. If assign attribute immutable to a file, then this file cannot be changed or deleted (and even the superuser cannot do this until this attribute is removed). If assign attribute immutable on a folder, then this folder cannot be deleted, and it will also be impossible to change the structure inside it. Thus, it turns out that if we need to protect the folder sitename.ru and the structure inside it, we need to execute a simple command:
Chattr +i /home/hostuser/vhosts/sitename.ru
To remove an attribute, you must use the flag -i.
If you only need to protect one folder (for example, logs), you can do the following:
Touch /home/hostuser/vhosts/sitename.ru/logs/.keep chattr +i /home/hostuser/vhosts/sitename.ru/logs/.keep
Actually, this is how you can put "protection from a fool" (even with superuser rights).
Thank you for your attention.
Paying attention!
It is important to understand that this article not about information security. The lock on the mailbox is Information Security. The glass on the fire alarm button is foolproof.
If you create a .keep file and give it an attribute -i, the folder itself can be moved, and the file can be moved. You cannot delete the file itself and the folder structure before this file.
If you require a stronger level of security, use the attribute immutable together with mount --bind. Using this bundle, you can configure protection against intentional changes to the structure.
The need to set a ban on deleting applications from iPhone and iPad can arise in a variety of situations. Most often, parents think about it, whose mobile devices used by children who now and then strive to accidentally delete one of the important applications. Fortunately, setting such a ban is just a matter of a few clicks.
Step 1. Go to the menu " Settings» → « Main» → « Restrictions».
Step 2. Click " Enable Restrictions” and enter the password you set earlier. If you have not used this feature before, enter a new password. In the event that you have forgotten your restrictions password, please contact us to reset it.
Step 3. In the section " allow» move the switch « Uninstalling programs» to inactive position.
Step 4. Return to the menu " Settings" by clicking on the arrow " Main» to save the settings.
Ready! Now it's impossible to delete from your iPhone or iPad installed applications. When switching to the mode of deleting applications, crosses near the icons will not appear.
When you need to uninstall one of the applications, go to the menu " Settings» → « Main» → « Restrictions" and turn on the switch " Uninstalling programs" or click " Turn off restrictions».
Component of security in operating system is to ensure that files or directories are not deleted. These measures involve hiding, prohibiting editing, viewing, or adding permissions to process file objects.
Created a large number software products, designed to organize the protection of files, folders, but more often they solve the problem of deleting files in a complex way, making them hidden or denying access.
All directories, files, processes in Windows are created by a specific user. The creators of Windows have tried to develop such a protection system that each user has a very specific case of rights. This case contains options of a forbidding or permissive nature for manipulating processes, file objects.
It is possible to implement a ban at the level account. By creating, for example, a directory or a file in the administrator account with the simultaneous opening of access at the level of guest accounts, leaving them write, read, move rights. However, more often you need to make a ban at the level of the current (own) account.
We need to turn to the Windows security system. This method assumes that the object's location disk file system is initially NTFS. It is she who provides a mechanism for distributing prohibiting and allowing options for all users. FAT-systems cannot offer such distinctions.
Moreover, the imposed restrictions do not concern the object itself, but its location. If its location is changed, then access will be resumed. It should also be understood that prohibiting options have a higher priority than allowing ones, so if the same permission and prohibition settings are selected, then the prohibition rights are executed first.
However, such a restriction will be wider, as it will have to restrict full access.
First of all, let's open context menu the selected file and find the properties item in it.
In the window that opens, go to the "Security" tab.
In the field of groups and users, select the desired user.
Click the "Change" button and, in the window that appears, in the list of group permissions, check the boxes for prohibiting settings.
Now let's save the changes made.
Let's continue the operation
Now, we see that we have ticked the prohibitive options
So, we will set restrictions on full access, which also include the prohibition of deleting the object.
An attempt was made to open an image file from a prohibited location. Now let's try to remove it.
We agree with the warning
However, the following window pops up. Click "Continue".
The system still does not allow the object to be deleted.
The same restriction mechanism can be applied to a large number of objects located in a single directory. In this case, the ban can be imposed for all users of the system. This kind of restriction (for all) can be done for a single file. In this case, we need to add a new user group ("Everyone"). Then, you will need to check the checkboxes of the prohibitive options.
Go back to the security tab
Click the "Advanced" button to open the advanced settings window.
Then select "Change Permissions":
In this window, select "Add".
In the window for selecting groups and users, we will write a new category "Everyone" and check the names.
After this procedure, the system will show the location for which in this moment restrictions are enforced. Next, you just need to click "OK" and agree with the pop-up warnings.
We agree to continue the operation
As you can see, we have a new group with special rights.
Here, these special rights are also visible.
Let's try to remove something from this directory.
We agree with moving to the basket.
However, we see a familiar window that requires elevation of rights.
The system thinks a little...
However, it then reports that there is no way to delete the file from this location.
Summary
Many software tools have been created to restrict user access to file system objects. However, Windows has its own built-in tools. File NTFS system allows you to set restrictive settings for the location of a specific user or for all locations at once. However, such restrictions may prohibit full access or only deletion of one or more directories and files.
