first octet of chmod does not work?

[vit_r]

Hi!

I.
Here it goes according to 'ls': dr-x..
~ # ls -ld /proc
dr-xr-xr-x 134 root root 0 2010-08-13 18:58 /proc/
---------- /proc/ is not writable. So next is correct
~ # touch /proc/rwtest
touch «/proc/rwtest»: No such file or directory
~ #

II.
Here it does not (obviously next is correct for OS functioning)..
~ # ls -ld /sys
drwxr-xr-x 134 root root 0 2010-08-13 18:58 /sys/
---------- /sys/ is writable!
~ # touch /sys/rwtest
touch «/sys/rwtest»: No such file or directory
~ #

III.
~ # mkdir TMP
~ # chmod 500 TMP
~ # ls -ld TMP
dr-x------ 2 root root 48 2010-08-13 18:59 TMP/
~ # touch TMP/rwtest
~ # ls -lR TMP
TMP:
-rw-r--r-- 1 root root 0 2010-08-13 18:59 rwtest
~ #

rwtest-file was created by root in directory with dr-x------!

Should it be so?

Please..
One question only:

Why does 'chmod 500..' not work?

Thanks and good luck!

13-VIII-2010

[neildomo]

Hi!

I.
Here it goes according to 'ls': dr-x..
~ # ls -ld /proc
dr-xr-xr-x 134 root root 0 2010-08-13 18:58 /proc/
---------- /proc/ is not writable. So next is correct
~ # touch /proc/rwtest
touch «/proc/rwtest»: No such file or directory
~ #

II.
Here it does not (obviously next is correct for OS functioning)..
~ # ls -ld /sys
drwxr-xr-x 134 root root 0 2010-08-13 18:58 /sys/
---------- /sys/ is writable!
~ # touch /sys/rwtest
touch «/sys/rwtest»: No such file or directory
~ #

III.
~ # mkdir TMP
~ # chmod 500 TMP
~ # ls -ld TMP
dr-x------ 2 root root 48 2010-08-13 18:59 TMP/
~ # touch TMP/rwtest
~ # ls -lR TMP
TMP:
-rw-r--r-- 1 root root 0 2010-08-13 18:59 rwtest
~ #

rwtest-file was created by root in directory with dr-x------!

Should it be so?

Please..
One question only:

Why does 'chmod 500..' not work?

Thanks and good luck!

13-VIII-2010

Rule #1: Never, ever mess around as the root user. You're going to end up crashing your system, losing valuable data, or both. Only use root when necessary, and it's better to get used to using sudo instead of just being the root user.

Not every directory you see is actually files on the disk (/proc is actually memory). Some directories or filesystems can have over-riding mount options, or the user may have a umask that will cause files created by the user to have different permissions (do a 'man umask' to learn more about that).

[vit_r]

to neildomo

Thanks for fast and considerate reply
I had to mention what its for, sorry

The goal is to get 'read-only PATH'
(
ie:
dr-xr-xr-x ... bin/
dr-xr-xr-x ... lib/
dr-xr-xr-x ... sbin/
)

-
Still does not work:
~ # umask u=,g=,o=; mkdir fu; touch fu/bar; ls -lR fu
fu:
---------- 1 root root 0 2010-08-14 13:00 bar
-

'ro PATH' whith rw root filesystem is possible:
linuxquestions.org read-only-path-822055/

But when under root privileges 'chmod 500..' will do what it claims
'ro PATH' would be made just like that, isn't so?

[neildomo]

why do you want to make a directory read-only for everyone, including root? If you create a file owned by root, and "chmod 755", then only root can write to it, which I would consider normal (because no one should be using root user).

[vit_r]

Dear neildomo!

> no one should be using root user

Is it always so: " no one should be "?
Once my comp was attacked when i was staring at the screen..
Even "reset" was helpless..

Then 'ro PATH' is more safe(i.e. power break or kitten dancing on kbd), isn't it?

Is there somewhere a working example
(HOWTO to make a directory read-only for everyone)?

Thanks


ps
Seems strange things pops up:
- 'ls' doesn't reflect 100% of real situation
- 'chmod ...' doesn't make all changes correctly
- nothing is mentioned in their man pages

[neildomo]

I'm having a bit of difficulty understanding your meaning, but I'll give it a shot.

root(superuser) is the one user that should have access to everything. Because of this it should be used minimally, only when necessary. Use sudo to do your tasks, avoid logging into a computer as root. Many systems are set such that you can only log in as root at the console.

If you really want to make something read-only, make a filesystem, put your data on it, then mount that with ro options.

On my linux box /lib, /sbin, and /bin are owned by root, and only root has access (755, or rxwr-xr-x). If root cannot write to these directories, you won't be able to install anything into these dirs.

There is a program called aide , which can watch all the files on your system to see if any have changed. I'd recommend wiping your system, doing a fresh install, installing aide, then running it daily to see what has changed. Read the docs, there are files that will normally change daily. Also, /var/log/secure and /var/log/messages can give you information about people logging in.

selinux and iptables can be a pain to learn, but they can also increase the security of your computer significantly. It all depends on how much effort you want to put into it. Google these terms, there will be plenty of reading material.

[vit_r]

> ... difficulty understanding your meaning,

i guess this difficulty is: "Why i want 'ro PATH'?"
Because:
Even getting(by outsider or insider) the root privileges
will be not enough for making immediate changes

> ... read-only, make a filesystem, put your data on it, then mount that with ro options.

it is OK for /boot,/usr,/opt, ...
but meanwhile its not possible for /bin,/lib,/sbin

> ... you won't be able to install anything into these dirs.
a simple script:
chmod 755
OS-changes
chmod 555

If there would be official choice between current OS
and the same OS with 'ro PATH'
Which one is preferable?

Dear man!
Big and many Thanks for 'aide'. My feelings about it ... something great


ps
Still: "Is there somewhere a working example:
HOWTO make a directory dr-xr-xr-x? Thanks"

pps
any difficulty in understanding my meaning.. Tell me please

[coopstah13]

that isn't true, once you have root access you can change directory permissions back to 755 anyway

rxrxrx is 555, your exercise is fairly pointless though

if someone is getting access to your machine then you aren't taking proper security precautions to protect it, and I would advise you start with the basics like setting up firewall and using secure passwords

[vit_r]

> if someone is getting access ...
With 'ro PATH' if someone got access then next step is changing directory permissions
and such change can be made complicated by replacing corresponding programs by script-traps

With 'rw PATH' PATH-dirs are "naked" ...