1

I have a question about file permissions for the owner of a file.

0400 permission means owner has read access. 0600 means, that the owner has read + write access.

But even if the file is set to 0400, the owner has always the possibility of changing the permissions, so the file is virtually writable by the owner all the time.

My question is, is there a way of preventing the owner of the file of chmod ?

The concrete use case is for the user www-data that runs apache. I want the web app files to be set at 0400, so they can't be edited by the app itself in case of a security breach.

Thank you

Improve this question
4
  • One way to make strategic files secure is by putting them on read-only media, e.g., flash card or USB drive with physical write switch, or CD/DVD. That way even a malefactor as sudo cannot modify data. Of course, that's only of use for static files.
    – DrMoishe Pippik
    Commented Jul 12, 2023 at 14:38
  • 1
    Does www-data really have to own the files?
    – Daniel B
    Commented Jul 12, 2023 at 14:47
  • have you reviewed this cannonical question on ServerFault? serverfault.com/questions/357108/…
    – Frank Thomas
    Commented Jul 12, 2023 at 14:49
  • Your question is too broad. File ownership is one important issue, but the minute you bring a security breach into the question, you must clearly define the type of security breach. Some types have no solution as the penetrator now owns the entire OS. Other types can be mitigated with file ownership, chroot, and other mechanisms. If a question requires a book to answer, it is too broad and not well-focused.
    – John Hanley
    Commented Jul 12, 2023 at 18:30

0

Reset to default

You must log in to answer this question.

Browse other questions tagged .