topic how to make a file write-able but not modifiable through editor in Operating System - HP-UX

how to make a file write-able but not modifiable through editor

Muhammad Ahmad — Tue, 13 Jan 2009 07:46:19 GMT

Hi,

Good Day!

i wanna make .sh_history secure, like the user can't modify this file by means of any text editor or through other ways like echo output redirection commands, the purpose behind the scene is to maintain the integrity of user's command history file.

Any idea?

-Br
-Muhammad Ahmad

Re: how to make a file write-able but not modifiable through editor

Jeeshan — Tue, 13 Jan 2009 07:58:36 GMT

you can use chatr command to change the internal attribute

#man chatr

Re: how to make a file write-able but not modifiable through editor

Ivan Krastev — Tue, 13 Jan 2009 08:25:08 GMT

chatr is for programs/libraries.

On Linux you can do it with chatr, but i don't know something similar under HP-UX.

regards,
ivan

Re: how to make a file write-able but not modifiable through editor

VK2COT — Tue, 13 Jan 2009 08:52:51 GMT

Hello,

Did you try setacl (similar to setfacl for
Linux and Solaris)?

Cheers,

VK2COT

Re: how to make a file write-able but not modifiable through editor

Dennis Handly — Tue, 13 Jan 2009 10:58:13 GMT

You can't do this. If the shell can write to the file so can the user.

If you want to monitor what users do, you'll have to use a different tool.

Re: how to make a file write-able but not modifiable through editor

Elmar P. Kolkman — Tue, 13 Jan 2009 13:12:27 GMT

I guess there is a way: after the shell is started, move the history file to a directory that is not accessible by the user... Since the shell has the file already open, it will keep on writing, but the user cannot access the file.

I haven't tried, but it should work... It's like removing the syslog.log file without triggering the syslogd to re-create the file... It will keep on writing to the deleted file.

Re: how to make a file write-able but not modifiable through editor

Dennis Handly — Wed, 14 Jan 2009 04:20:21 GMT

>Elmar: Since the shell has the file already open, it will keep on writing, but the user cannot access the file.

I'm not sure this will work if you create a new shell by invoking a script. It is going to want to use $HISTFILE, which isn't there.

Re: how to make a file write-able but not modifiable through editor

Elmar P. Kolkman — Wed, 14 Jan 2009 05:51:25 GMT

No problem... It will just create a new one ;-)

Re: how to make a file write-able but not modifiable through editor

PW HP-UX Support Team — Wed, 14 Jan 2009 18:37:17 GMT

You can always install the B1 version of Unix and all your file level security problems will go away !~)

Re: how to make a file write-able but not modifiable through editor

TTr — Wed, 14 Jan 2009 18:54:03 GMT

The .sh_history (or whatever $HISTFILE is set to) is NOT a command security tool, it is just that a "command history" for the user. The shell that writes to it IS running as the same user so in order to move it to a nonaccissible area, you have to have an SUID script/command doit as part of the login profile. And this will only make a copy of it each time the user logs in and a new one will be started in the default location.
To complicate the scenario think on what would happen if a user logged in on several different concurrent or overlapping sessions.
In any case a smart user can purge or delete the history file during the shell and as they log out so there is nothing left to look at. Or they can unset the HISTFILE as soon as they login.
Bottom line is don't rely on the history file for investigative work on your users.
Look into trusted system and user accounting setups for user command tracking.