Restrict file access to append only
up vote
11
down vote
favorite
I have a directory with log files and I'm putting
logs from script launched by users into them. Logging with syslog doesn't seem
possible in this case. (non-daemon rsync)
I want the users to have only write permissions on log files.
The problem is, that write permissions must be further restricted, so that
users (script) can only append to that files.
The underlying filesystem is XFS.
The following doesn't work:
# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log
Is there any other solution for this? Thank you for your hints.
linux permissions logs rsync xfs
asked Dec 30 '12 at 16:28
metalhead
5817
add a comment |
up vote
11
down vote
favorite
I have a directory with log files and I'm putting
logs from script launched by users into them. Logging with syslog doesn't seem
possible in this case. (non-daemon rsync)
I want the users to have only write permissions on log files.
The problem is, that write permissions must be further restricted, so that
users (script) can only append to that files.
The underlying filesystem is XFS.
The following doesn't work:
# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log
Is there any other solution for this? Thank you for your hints.
linux permissions logs rsync xfs
asked Dec 30 '12 at 16:28
metalhead
5817
Are you sure it's XFS?chattr +aworks for me here (3.2 kernel). Note that you need to be root to usechattr(a$prompt suggests non-superuser), though you'd get a different error message ifchattr +awas supported and you were not root.
– Stéphane Chazelas
Dec 30 '12 at 22:02
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29
add a comment |
up vote
11
down vote
favorite
up vote
11
down vote
favorite
I have a directory with log files and I'm putting
logs from script launched by users into them. Logging with syslog doesn't seem
possible in this case. (non-daemon rsync)
I want the users to have only write permissions on log files.
The problem is, that write permissions must be further restricted, so that
users (script) can only append to that files.
The underlying filesystem is XFS.
The following doesn't work:
# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log
Is there any other solution for this? Thank you for your hints.
linux permissions logs rsync xfs
asked Dec 30 '12 at 16:28
metalhead
5817
I have a directory with log files and I'm putting
logs from script launched by users into them. Logging with syslog doesn't seem
possible in this case. (non-daemon rsync)
I want the users to have only write permissions on log files.
The problem is, that write permissions must be further restricted, so that
users (script) can only append to that files.
The underlying filesystem is XFS.
The following doesn't work:
# chattr +a test.log
chattr: Inappropriate ioctl for device while reading flags on test.log
Is there any other solution for this? Thank you for your hints.
linux permissions logs rsync xfs
linux permissions logs rsync xfs
asked Dec 30 '12 at 16:28
metalhead
5817
asked Dec 30 '12 at 16:28
metalhead
5817
edited Dec 31 '12 at 9:52
asked Dec 30 '12 at 16:28
metalhead
5817
asked Dec 30 '12 at 16:28
metalhead
5817
asked Dec 30 '12 at 16:28
metalhead
5817
5817
Are you sure it's XFS?chattr +aworks for me here (3.2 kernel). Note that you need to be root to usechattr(a$prompt suggests non-superuser), though you'd get a different error message ifchattr +awas supported and you were not root.
– Stéphane Chazelas
Dec 30 '12 at 22:02
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29
add a comment |
Are you sure it's XFS?chattr +aworks for me here (3.2 kernel). Note that you need to be root to usechattr(a$prompt suggests non-superuser), though you'd get a different error message ifchattr +awas supported and you were not root.
– Stéphane Chazelas
Dec 30 '12 at 22:02
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29
Are you sure it's XFS?
chattr +a works for me here (3.2 kernel). Note that you need to be root to use chattr (a $ prompt suggests non-superuser), though you'd get a different error message if chattr +a was supported and you were not root.– Stéphane Chazelas
Dec 30 '12 at 22:02
Are you sure it's XFS?
chattr +a works for me here (3.2 kernel). Note that you need to be root to use chattr (a $ prompt suggests non-superuser), though you'd get a different error message if chattr +a was supported and you were not root.– Stéphane Chazelas
Dec 30 '12 at 22:02
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29
add a comment |
3 Answers
3
active
oldest
votes
up vote
8
down vote
accepted
The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:
echo chattr +a | xfs_io test.log
Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
add a comment |
up vote
1
down vote
Do you have permissions to do that? From man 1 chattr:
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
answered Dec 30 '12 at 21:51
peterph
22.9k24357
add a comment |
up vote
0
down vote
Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.
Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.
I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns
answered Nov 26 at 8:05
lzap
8291711
add a comment |
3 Answers
3
active
oldest
votes
3 Answers
3
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
8
down vote
accepted
The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:
echo chattr +a | xfs_io test.log
Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
add a comment |
up vote
8
down vote
accepted
The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:
echo chattr +a | xfs_io test.log
Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
add a comment |
up vote
8
down vote
accepted
up vote
8
down vote
accepted
The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:
echo chattr +a | xfs_io test.log
Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
The chattr utility is written for ext2/ext3/ext4 filesystems. It emits ioctls on the files, so it's up to the underlying filesystem to decide what to do with them. The XFS driver in newer Linux kernels supports the same FS_IOC_SETFLAGS ioctl as ext[234] to control flags such as append-only, but you may be running an older kernel where it doesn't (CentOS?). Try using the xfs_io utility instead:
echo chattr +a | xfs_io test.log
Note that, for XFS like for ext[234], only root can change the append-only flag (more precisely, you need the CAP_LINUX_IMMUTABLE capability).
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
answered Jan 1 '13 at 1:47
Gilles
523k12610411575
523k12610411575
add a comment |
add a comment |
up vote
1
down vote
Do you have permissions to do that? From man 1 chattr:
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
answered Dec 30 '12 at 21:51
peterph
22.9k24357
add a comment |
up vote
1
down vote
Do you have permissions to do that? From man 1 chattr:
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
answered Dec 30 '12 at 21:51
peterph
22.9k24357
add a comment |
up vote
1
down vote
up vote
1
down vote
Do you have permissions to do that? From man 1 chattr:
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
answered Dec 30 '12 at 21:51
peterph
22.9k24357
Do you have permissions to do that? From man 1 chattr:
A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.
answered Dec 30 '12 at 21:51
peterph
22.9k24357
answered Dec 30 '12 at 21:51
peterph
22.9k24357
answered Dec 30 '12 at 21:51
peterph
22.9k24357
answered Dec 30 '12 at 21:51
peterph
22.9k24357
22.9k24357
add a comment |
add a comment |
up vote
0
down vote
Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.
Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.
I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns
answered Nov 26 at 8:05
lzap
8291711
add a comment |
up vote
0
down vote
Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.
Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.
I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns
answered Nov 26 at 8:05
lzap
8291711
add a comment |
up vote
0
down vote
up vote
0
down vote
Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.
Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.
I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns
answered Nov 26 at 8:05
lzap
8291711
Alternatively, you can achieve the same using SELinux, chances are it's enabled and running if you are using Red Hat compatible distro. This works on every filesystem, SELinux blocks processes from performing disallowed operations.
Unfortunately, you need to write a policy for your application to allow accessing all system resources, except appending to particular file(s). This can be challenging a bit if you do this for the fist time, but there is an advantage to this - added layer of security.
I have an example of how to write a append-only file rule in this talk: https://www.youtube.com/watch?v=zQcYXJkwTns
answered Nov 26 at 8:05
lzap
8291711
answered Nov 26 at 8:05
lzap
8291711
answered Nov 26 at 8:05
lzap
8291711
answered Nov 26 at 8:05
lzap
8291711
8291711
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f59864%2frestrict-file-access-to-append-only%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are you sure it's XFS?
chattr +aworks for me here (3.2 kernel). Note that you need to be root to usechattr(a$prompt suggests non-superuser), though you'd get a different error message ifchattr +awas supported and you were not root.– Stéphane Chazelas
Dec 30 '12 at 22:02
Also posted on Serverfault. Don't do this.
– Gilles
Dec 30 '12 at 23:34
What is the mount options on the partition? It might possibly store it using xattr, which might need the relevant mount option? (The socumentation for XFS don't mention much about it either...)
– Gert van den Berg
Dec 31 '12 at 9:40
This closed on SF, so I'm leaving it open here
– Michael Mrozek♦
Dec 31 '12 at 17:29