Recently I am developing a feature where I need to protect a file from all users including the root. Most of the kernels do this by restricting the permissions stuff and/or attaching some special flags with the files notifying that this file should not be touched. While shaving this morning, I had a weird idea.
I want to protect a file, so restricting the permissions to root is an obvious thing to do here. But still root can modify this file. If I want to block root user as well, what if I had an another internal root like user? This would also be a root user, say a root cousin which is invisible to outside world. So in this case, root can read the file but can not modify it. I know this breaks the standard UNIX legacy we have that there is only one powerful god and that is root. What if we shatter this? There would be more than one god, so would there be a clash of titans? No, the rule is one god does not interfere with other god. The gods are read-only while interfering with another god. In this case, it gives an impression that root user is not able to modify certain file. Since internally this file is owned by root cousin, root is not able to change/modify it. So the change of behavior is quite noticeable. I don't know if this would be acceptable.
Since this root cousin is invisible to end user, he/she can not inherit root cousin privileges. And a root user can not change/modify the files that need to be protected.
This is a very simple idea and might have occurred to a lot of people. The moment I struck it, I felt like noting it down somewhere and thats why I am posting it here. I still need to figure out how to implement this. Will update about it soon.
Few basics on how to implement this. This root cousin needs a dedicated uid and gid at least for UNIX. This uid and gid can not be used by end user. Kernel uses this identifiers for its own protection. So there is no way an end user can make a file owned by root cousin. Only the kernel is able to use these dedicated uid and gid in order to protect some files even from root. So it is quite obvious that we should not use these root cousin privileges everywhere. Rather, its use should be kept to minimal. For files, we don't want even root to change/modify, we should make them own by root cousin. While displaying the file properties (ls command), should we display the dedicated uid and gid for root cousin or should we show root uid and gid instead? If we show root uid and gid, the end user will still have the illusion that these files are owned by root but they can not be changed/modified. Great!! This goes well with the UNIX methodology. Lots of questions are popping in my head. Will update again as I have more answers.
No comments:
Post a Comment