How can a new user be given write/chmod permissions to a single file and write/chmod permissions for that...
I have a friend (with root access) that wants to prevent himself from having write access to /etc/hosts
. I'm wondering if he can create a new user, give me the passcode for that new user, grant that new user write permissions for the file and then remove write permissions and chmod
permissions for that file from root. Is something like this or something similar in effect possible?
root chmod
add a comment |
I have a friend (with root access) that wants to prevent himself from having write access to /etc/hosts
. I'm wondering if he can create a new user, give me the passcode for that new user, grant that new user write permissions for the file and then remove write permissions and chmod
permissions for that file from root. Is something like this or something similar in effect possible?
root chmod
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49
add a comment |
I have a friend (with root access) that wants to prevent himself from having write access to /etc/hosts
. I'm wondering if he can create a new user, give me the passcode for that new user, grant that new user write permissions for the file and then remove write permissions and chmod
permissions for that file from root. Is something like this or something similar in effect possible?
root chmod
I have a friend (with root access) that wants to prevent himself from having write access to /etc/hosts
. I'm wondering if he can create a new user, give me the passcode for that new user, grant that new user write permissions for the file and then remove write permissions and chmod
permissions for that file from root. Is something like this or something similar in effect possible?
root chmod
root chmod
asked Jan 3 at 15:55
BlandCorporationBlandCorporation
283414
283414
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49
add a comment |
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49
add a comment |
1 Answer
1
active
oldest
votes
Nope, the root user can not possibly be restricted. If you have root access, you can do everything and also revert all kinds of protections one could think of.
Besides, you should normally not directly use the root account anyway but log in as regular user and use sudo
to run single commands with elevated permissions. This also helps preventing some accidental changes, compared to always operating in a root shell.
To further protect against accidental modification, you could make the file immutable using
sudo chattr +i /etc/hosts
to prevent modifications by everybody, including root and system processes (which might be something that could cause trouble depending on the file and what you're doing with it). But still, root can lift that protection again.
To sum it up, with great powers (root login or sudo access) comes great responsibility. If your friend thinks they must be prevented from altering system files like that, they should not have administrative access to the machine.
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "89"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1106625%2fhow-can-a-new-user-be-given-write-chmod-permissions-to-a-single-file-and-write-c%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
Nope, the root user can not possibly be restricted. If you have root access, you can do everything and also revert all kinds of protections one could think of.
Besides, you should normally not directly use the root account anyway but log in as regular user and use sudo
to run single commands with elevated permissions. This also helps preventing some accidental changes, compared to always operating in a root shell.
To further protect against accidental modification, you could make the file immutable using
sudo chattr +i /etc/hosts
to prevent modifications by everybody, including root and system processes (which might be something that could cause trouble depending on the file and what you're doing with it). But still, root can lift that protection again.
To sum it up, with great powers (root login or sudo access) comes great responsibility. If your friend thinks they must be prevented from altering system files like that, they should not have administrative access to the machine.
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
add a comment |
Nope, the root user can not possibly be restricted. If you have root access, you can do everything and also revert all kinds of protections one could think of.
Besides, you should normally not directly use the root account anyway but log in as regular user and use sudo
to run single commands with elevated permissions. This also helps preventing some accidental changes, compared to always operating in a root shell.
To further protect against accidental modification, you could make the file immutable using
sudo chattr +i /etc/hosts
to prevent modifications by everybody, including root and system processes (which might be something that could cause trouble depending on the file and what you're doing with it). But still, root can lift that protection again.
To sum it up, with great powers (root login or sudo access) comes great responsibility. If your friend thinks they must be prevented from altering system files like that, they should not have administrative access to the machine.
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
add a comment |
Nope, the root user can not possibly be restricted. If you have root access, you can do everything and also revert all kinds of protections one could think of.
Besides, you should normally not directly use the root account anyway but log in as regular user and use sudo
to run single commands with elevated permissions. This also helps preventing some accidental changes, compared to always operating in a root shell.
To further protect against accidental modification, you could make the file immutable using
sudo chattr +i /etc/hosts
to prevent modifications by everybody, including root and system processes (which might be something that could cause trouble depending on the file and what you're doing with it). But still, root can lift that protection again.
To sum it up, with great powers (root login or sudo access) comes great responsibility. If your friend thinks they must be prevented from altering system files like that, they should not have administrative access to the machine.
Nope, the root user can not possibly be restricted. If you have root access, you can do everything and also revert all kinds of protections one could think of.
Besides, you should normally not directly use the root account anyway but log in as regular user and use sudo
to run single commands with elevated permissions. This also helps preventing some accidental changes, compared to always operating in a root shell.
To further protect against accidental modification, you could make the file immutable using
sudo chattr +i /etc/hosts
to prevent modifications by everybody, including root and system processes (which might be something that could cause trouble depending on the file and what you're doing with it). But still, root can lift that protection again.
To sum it up, with great powers (root login or sudo access) comes great responsibility. If your friend thinks they must be prevented from altering system files like that, they should not have administrative access to the machine.
answered Jan 3 at 16:07
Byte CommanderByte Commander
63.7k26173292
63.7k26173292
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
add a comment |
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
Perhaps I've misread the situation but it's worth noting that modifications will be recorded, that the system can be set to log sudo commands; you could have off-site journals to get around local modification of log files, but it starts getting super convoluted IMO. (Maybe point a private webcam at the computer.)
– pbhj
Jan 3 at 16:54
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
An excellent, concise answer that covers all the bases. This is the right way to look at the problem.
– user535733
Jan 3 at 17:02
add a comment |
Thanks for contributing an answer to Ask Ubuntu!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2faskubuntu.com%2fquestions%2f1106625%2fhow-can-a-new-user-be-given-write-chmod-permissions-to-a-single-file-and-write-c%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
If it's a case of blocking access to web/internet hosts via /etc/hosts another possibility is to use something like OpenDNS - which you can set at the router. There are relatively easy workarounds, but that's true for /etc/hosts entries too.
– pbhj
Jan 3 at 16:49