How can root user create file/directory unwritable for itself?
chattr +i *
will prevent even the root account from making changes to files in the directory (until chattr -i *
is run).
Per Slartibartfast's comments, a few things you should know about chattr and the immutable attribute:
- The immutable bit will prevent a file from being deleted, renamed, linked to, or written to; use
lsattr
to display attributes in much the same wayls
displays ownership and permissions - You can prevent the immutable bit from being unset (even by root) by changing the
CAP_LINUX_IMMUTABLE
flag - to do so you'll want to install libcap, but it's only fair warning that capabilities are poorly documented (at best)
SELinux can be used to mark a file as unwriteable by root in the current domain and user role.