0

I want to change a file to be permanently read-only and tried the solutions provided creating-read-only-pdf-file-using-python and change-file-to-read-only-mode-in-python.

However, in both cases it was still possible to edit the file and manually change it back to a read-only file.

Is there a way to prevent that, so that nobody could edit the properties or content of the file?

I thought about encrypting it, i.e. using SHA256 with a randomly created key, but that would render the file unreadable.

Morse
  • 8,258
  • 7
  • 39
  • 64
Seneo
  • 87
  • 1
  • 11
  • 2
    Instead of preventing file to be edited which is nearly impossible even on windows, why not have a checksum list to check and refuse work if checksum doesn't match valid checksums you have recorded before, – Abdurrahim Jan 27 '19 at 21:21
  • 1
    Impossible in general purpose computers. If a person can open a file on a device they control, they can find a way to do whatever they please with it. Exceptions would only be for files that are available on devices preinstalled *and* controlled by you that have no outside connections of any way (Internet/USB or whatever), *and* that won't be available for person to take away and disassemble/hack. – Gnudiff Jan 27 '19 at 21:37
  • 1
    What about putting a HMAC key in the application code, and then calculating a MAC authentication tag over the file? You could e.g. put the tag at the end of the file, in the meta data or even hex encoded in the filename. That way people may still change the file, but your application would detect that it has been changed and abort (i.e. the file would be tamper evident). Of course, if the people can read or change the key *in your python script* you'd still be in trouble. – Maarten Bodewes Jan 28 '19 at 03:33
  • 1
    As non-crypto solution: run your application as a different user, and make the file only editable by that user (or the group that the user is in). I guess on *nix that would be `chown` on the file & binary. – Maarten Bodewes Jan 28 '19 at 03:33
  • The non crypto solution wouldn't work in my case, as the file isn't allowed to be changed by anyone. The HMAC key would probably work better, I will look into that. If I convert the script into an .exe data, wouldn't that prevent anyone from changing the key in the script? – Seneo Jan 28 '19 at 09:40
  • 1
    Principally you cannot prevent a file to be changed. What can you do though - you can sign the file (e.g. by a document timestamping service or storing the hash separately) and you could at least validate the file hasn't been tampered with – gusto2 Jan 31 '19 at 12:04

2 Answers2

4

Is there a way to prevent that, so that nobody could edit the properties or content of the file?

No. As long as the file is on a writable device, it's always possible for a user to delete the file and replace it with a modified copy.

(And even if the file is on an immutable device, like a CD-ROM, the user can still create a modified copy of the entire device.)

-1

If you are one a Unix-like system you can use the chmod command in the terminal.

The chmod command has an equivalent in python

You might have to run your script is super-user to change some permissions.

Benoît P
  • 3,179
  • 13
  • 31
  • Already tried that as given in the links in the question. The file changed to read-only, but I only had to click in it and was able to write again – Seneo Jan 27 '19 at 23:11
  • I don't really know how it is implemented in python (it looks like it fails silently) but in shell you can restrict access to files using chmod, I don't know what access you want, and for who but chmod has been in Unix since the dinosaurs and has been working great. – Benoît P Jan 27 '19 at 23:17