Implement shell file protection in Linux

Overview

This article will show you how to protect your files from unauthorized access using the Linux file system permissions, and how to use chmod command to set permissions for a specific user or group of users.

Besides the Linux file permission mechanisms that help us keep our files safe from misuses, most Linux shells have built-in safeguards against accidental file overwrite. We’ll cover some of them here.

Protecting Files With noclobber

All POSIX shell implementations support the noclobber option. If you're using a shell script, meaning the shell will complain if you try to overwrite an existing directory.

By default, because of tradition, the noclobber option is disabled by default. To turn it on for bash or ksh, run the following command −

set -o noclobber

To use csh or tcsh when running scripts, we’ll first need to set an environment variable called “csh

set noclobber

If we set the noclobber option, then when we attempt to overwrite a file, Bash will complain: "File exists."

set -o noclobber
touch temp.txt          # Create temp.txt file
echo "Hello" > temp.txt # Try to overwrite file contents
-bash: temp.txt: cannot overwrite existing file

Using cshell (or tcsh), the error message is slightly more cryptic −

set noclobber
touch temp.txt # Create temp.txt file
echo "Hello" > temp.txt # Try to overwrite file contents
temp.txt: File exists

We should note that we're not protecting against file overwriting by redirections. If you remove the file using the command line tool rm, redirect its output to another file using the shell operator “>>”, or write to the file from within an application, then everything will be fine.

Overriding Protections

We can either disable the noclobbers restriction by returning to the default behaviour by disabling the shell options or temporarily overriding them. For example, if we want to disable the noclobbing restriction for the current session, we could run the following command −

set +o noclobber

"In tcsh/csh," this means −

unset noclobber

To temporarily override the noclobber behavior, our shell processes provide special redirection operators: “>!” and “>|” respectively. Let’s show our original example using bash −

set -o noclobber
touch temp.txt # Create temp.txt file
echo "Hello" > temp.txt # Try to overwrite file contents
-bash: temp.txt: cannot overwrite existing file
echo "Hello" >| temp.txt # Overwrite file contents using override operator

When using tcsh, we’ll just replace “>|” with “>!” −

set noclobber
touch temp.txt # Create temp.txt file
echo "Hello" > temp.txt # Try to overwrite file contents
temp.txt: File exists
echo "Hello" >! temp.txt # Overwrite file contents using override operator

Example: Truncating a Logfile

An example where we might want to use this feature would be when truncating a log file. Therefore, logs tend to be left open by services that keep them. Because of this, we're often unable to remove them as the operating systems keeps track of open file handle. To truncate the logs, we redirect /dev/* to the files −

/dev/null >| my_logfile.log

This solution has an additional benefit: It doesn't update the modified date when the contents stay the same. So if you run the redirect in cron and the content stays empty, the modified date will show the last change made by the script.

If you want to use the command-lne redirection method but don't want to use the -s flag, another option is to use truncate. The next example will have the same result as the previous one, which will resize the file to zero.

truncate -s 0 my_logfile.log

The truncate (truncate) function has another advantage, as it lets us resized our log files to any size. The next example will shrink our log files to 50 MB −

truncate -s 50M my_logfile.log

Conclusion

Here, we discuss the noclobber command and how we can implement shell file protection. We also cover the use of truncates as an optional tool for file resizing.