HPE Community
Operating System - HP-UX
1753849 Members
7777 Online
108807 Solutions
New Discussion юеВ

how to make a file write-able but not modifiable through editor

 
Muhammad Ahmad
Frequent Advisor

тАО01-12-2009 11:46 PM

тАО01-12-2009 11:46 PM

how to make a file write-able but not modifiable through editor

Hi,

Good Day!

i wanna make .sh_history secure, like the user can't modify this file by means of any text editor or through other ways like echo output redirection commands, the purpose behind the scene is to maintain the integrity of user's command history file.



Any idea?

-Br
-Muhammad Ahmad
0 Kudos
Reply
9 REPLIES 9
Jeeshan
Honored Contributor

тАО01-12-2009 11:58 PM

тАО01-12-2009 11:58 PM

Re: how to make a file write-able but not modifiable through editor

you can use chatr command to change the internal attribute

#man chatr
a warrior never quits
0 Kudos
Reply
Ivan Krastev
Honored Contributor

тАО01-13-2009 12:25 AM

тАО01-13-2009 12:25 AM

Re: how to make a file write-able but not modifiable through editor

chatr is for programs/libraries.

On Linux you can do it with chatr, but i don't know something similar under HP-UX.

regards,
ivan
0 Kudos
Reply
VK2COT
Honored Contributor

тАО01-13-2009 12:52 AM

тАО01-13-2009 12:52 AM

Re: how to make a file write-able but not modifiable through editor

Hello,

Did you try setacl (similar to setfacl for
Linux and Solaris)?

Cheers,

VK2COT
VK2COT - Dusan Baljevic
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-13-2009 02:58 AM

тАО01-13-2009 02:58 AM

Re: how to make a file write-able but not modifiable through editor

You can't do this. If the shell can write to the file so can the user.

If you want to monitor what users do, you'll have to use a different tool.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

тАО01-13-2009 05:12 AM

тАО01-13-2009 05:12 AM

Re: how to make a file write-able but not modifiable through editor

I guess there is a way: after the shell is started, move the history file to a directory that is not accessible by the user... Since the shell has the file already open, it will keep on writing, but the user cannot access the file.

I haven't tried, but it should work... It's like removing the syslog.log file without triggering the syslogd to re-create the file... It will keep on writing to the deleted file.
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
Dennis Handly
Acclaimed Contributor

тАО01-13-2009 08:20 PM

тАО01-13-2009 08:20 PM

Re: how to make a file write-able but not modifiable through editor

>Elmar: Since the shell has the file already open, it will keep on writing, but the user cannot access the file.

I'm not sure this will work if you create a new shell by invoking a script. It is going to want to use $HISTFILE, which isn't there.
0 Kudos
Reply
Elmar P. Kolkman
Honored Contributor

тАО01-13-2009 09:51 PM

тАО01-13-2009 09:51 PM

Re: how to make a file write-able but not modifiable through editor

No problem... It will just create a new one ;-)
Every problem has at least one solution. Only some solutions are harder to find.
0 Kudos
Reply
PW HP-UX Support Team
Frequent Advisor

тАО01-14-2009 10:37 AM

тАО01-14-2009 10:37 AM

Re: how to make a file write-able but not modifiable through editor

You can always install the B1 version of Unix and all your file level security problems will go away !~)

0 Kudos
Reply
TTr
Honored Contributor

тАО01-14-2009 10:54 AM

тАО01-14-2009 10:54 AM

Re: how to make a file write-able but not modifiable through editor

The .sh_history (or whatever $HISTFILE is set to) is NOT a command security tool, it is just that a "command history" for the user. The shell that writes to it IS running as the same user so in order to move it to a nonaccissible area, you have to have an SUID script/command doit as part of the login profile. And this will only make a copy of it each time the user logs in and a new one will be started in the default location.
To complicate the scenario think on what would happen if a user logged in on several different concurrent or overlapping sessions.
In any case a smart user can purge or delete the history file during the shell and as they log out so there is nothing left to look at. Or they can unset the HISTFILE as soon as they login.
Bottom line is don't rely on the history file for investigative work on your users.
Look into trusted system and user accounting setups for user command tracking.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.