How to block possibility to change owner group ?

Support for security such as Firewalls and securing linux
bryn1u
Posts: 30
Joined: 2010/04/09 15:38:07
Contact:

How to block possibility to change owner group ?

Postby bryn1u » 2017/07/17 12:21:01

Hello,

Maybe it's trivial question but im trying and still wondering how can i block to possibility to change ownergroup by user if user is owner of that directory.
For example:

Code: Select all

[bryn1u@proton ~]$ mkdir test
drwxrwr-x. 2 bryn1u bryn1u 4096 07-17 14:17 test


and now as a root:

Code: Select all

[root@proton bryn1u]# chown -R bryn1u:users /home/bryn1u/test
[root@proton bryn1u]# ls -ld /home/bryn1u/test
drwxrwr-x. 2 bryn1u users 4096 07-17 14:17 /home/bryn1u/test


Back to the user and :

Code: Select all

[bryn1u@proton ~]$ ls -ld test
drwxrwr-x. 2 bryn1u users 4096 07-17 14:17 test
[bryn1u@proton ~]$ chgrp bryn1u test
[bryn1u@proton ~]$ ls -ld test
drwxrwr-x. 2 bryn1u bryn1u 4096 07-17 14:17 test
[bryn1u@proton ~]$


As u can see normal user can change owner group has set by root. Is it any way to block it ?

hunter86_bg
Posts: 701
Joined: 2015/02/17 15:14:33
Location: Bulgaria
Contact:

Re: How to block possibility to change owner group ?

Postby hunter86_bg » 2017/07/17 19:09:08

The only way I know is to set the extended attribute '+a' via:

Code: Select all

chattr +a directory
but this will prevent anyone from deleting any file inside this directory, and this could lead to undesired results.