-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Aug 03, 2017 at 08:49:05PM +0200, Pascal Hambourg wrote: > Le 03/08/2017 à 15:52, Zenaan Harkness a écrit : > >On Thu, Aug 03, 2017 at 08:53:27AM -0400, Greg Wooledge wrote: > >>But the problem is, various Unix DHCP client daemons do *too much*. > >>All I want them to do is set the IP address, netmask, and gateway. > >>I *don't* want them to change the system hostname, or the system > >>resolv.conf (in which I have hand-placed *our* DNS search domain and > >>*our* DNS resolvers). > > > >Well, making /etc/resolv.conf read-only, owned by root.root > > ... is just useless. resolv.conf is already owned by root, DCHP > client daemons run as root and on Linux systems root (uid 0) ignores > read/write permissions.
That's what chattr +i is for. Don't forget to do chattr -i on the file whenever *you* want to change it :-) (For me, it's a satisfying feeling when I see the culprits whining in the logs that they cannot write to the file, but that may be my hidden sadistic alter ego). Cheers - -- tomás -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlmELNwACgkQBcgs9XrR2kYNMACfSv64NQre+qFfAXONWOEdADtm jIoAn3rP30lR8UAeYqvKSrZt55GgM4gU =SZVO -----END PGP SIGNATURE-----