Make File or Folder immutable/unchangeable

[rathorecdn]

Hello, all the knowledgeable person here...
I'm a newbie and I recently changed my system from bloody/monitoring monster windows 10 to ubuntu LTS.

I am perfectly alright with ubuntu as it works with all of my peripherals and it does everything i needed, but one thing is very serious that my son is watching pornography on my system, i have somehow blocked all the pornography sites using energized <violates forum rules> ultimate list using hosts file, but he is more knowledgeable than me he mutated the hosts file and continue to pornography.

I want to know that is there any way to completely block pornograhical material using hosts file by making hosts file immutable even by root user? And by freezing dns resolving file to opendns family shield dns because opendns also blocks proxy servers by default so there will be no way to go to adult sites.

I tries chattr. But the root user can use it to mutate files. I want root user also can not change/mutate file. Completely read only.

Please help me to resolve my issue.

Thanks in advance ..

[RIH]

I think this is a difficult ask.
My advice would be to give him access via a user that does not have Admin rights.
You will probably need to re-install the system, creating a new Admin profile for yourself with a new password & then create a non-Admin user for your son.

Here are a couple of sites offering advice on how to stop <violates forum rules> on your machine, but it, obviously, relies on the user that you wish to stop not knowing the root password.
https://itsfoss.com/how-to-block-<violates forum rules>-b ... on-ubuntu/
https://computer-tricks.com/block-<violates forum rules>- ... t-content/

EDIT
Sorry there is an automatic block on the word p o r n on this Forum.
You will need to alter the URLs above, substituting the **** with the letters p o r & n - no spaces..

[all41]

Hello, all the knowledgeable person here...
I'm a newbie and I recently changed my system from bloody/monitoring monster windows 10 to ubuntu LTS.

I am perfectly alright with ubuntu as it works with all of my peripherals and it does everything i needed, but one thing is very serious that my son is watching pornography on my system, i have somehow blocked all the pornography sites using energized **** ultimate list using hosts file, but he is more knowledgeable than me he mutated the hosts file and continue to pornography.

I want to know that is there any way to completely block pornograhical material using hosts file by making hosts file immutable even by root user? And by freezing dns resolving file to opendns family shield dns because opendns also blocks proxy servers by default so there will be no way to go to adult sites.

I tries chattr. But the root user can use it to mutate files. I want root user also can not change/mutate file. Completely read only.

Please help me to resolve my issue.

Thanks in advance ..

#to lock
sudo chattr +i <path to file or directory>
#to unlock
sudo chattr -i <path to file or directory>
#to make recursive
sudo chattr -R +i <path to file or directory>

read about:
man chattr

Don't lock yourself out.

[SimonPeter]

.....

- The best solution is to talk peacefully to your son and make him understand why ****ography is a devastating trap.
https://en.wikipedia.org/wiki/Opposition_to_****ography

- If your son has root privileges, he can certainly modify about anything on the system.
You must do a full reinstall, making yourself the only root (Admin) user (the user selected during installation) and add your son's user account later (as a standard user).

- Even if your son has no root privileges on that system, he has physical access to it.
So, he can undo changes to /etc/hosts , /etc/resolv.conf and any other files, using a Live USB (or some other live media) / booting into another environment (like a medium containing an OS your son has root access or plugging in the hard disk to another computer).

Ensure your son cannot access any of these (Live media, another computer etc., )

[all41]

You must do a full reinstall, making yourself the only root (Admin) user (the user selected during installation) and add your son's user account later (as a standard user).

Does not matter--son can still own the machine *.* easy-peazy
You cannot deny one with physical access.
The only security is encryption which is likely to be unreadable--but it can be moved or re-encrypted thus
denying access to the rightful owner

[SimonPeter]

You must do a full reinstall, making yourself the only root (Admin) user (the user selected during installation) and add your son's user account later (as a standard user).

Does not matter--son can still own the machine *.* easy-peazy
You cannot deny one with physical access.
The only security is encryption which is likely to be unreadable--but it can be moved or re-encrypted thus
denying access to the rightful owner

- Even if your son has no root privileges on that system, he has physical access to it.
So, he can undo changes to /etc/hosts , /etc/resolv.conf and any other files, using a Live USB (or some other live media) / booting into another environment (like a medium containing an OS your son has root access or plugging in the hard disk to another computer).
Ensure your son cannot access any of these (Live media, another computer etc., )

[SimonPeter]

....
The only security is encryption which is likely to be unreadable
....

This *may* be a way to make use of encryption + BIOS security + UNIX (Linux) security :
- Set a BIOS password that should be entered before booting external media (prevents your son from using external boot media for doing/watching bad things).
- Reinstall Linux with an encrypted / and /boot . The EFI System Partition (if any) must be on a separate medium (say, a pendrive) strictly under your custody.
You should be the only root (Admin) user ie. the user set up during installation. You can add your son afterwards, as a standard user.
- DO NOT DISCLOSE ANY PASSWORD(S) (that goes without saying).

To boot, do these:
- (If on a UEFI system) insert the USB pendrive with the EFI System Partition and press the Power button.
- Enter the password the decrypt /boot (and /) -- without anyone looking around.
- Remove the pendrive as soon as possible.

Still, there are many vulnerabilities in this method, like your son installing a keylogger via the BIOS, a hardware keylogger (this possible because he has physical access) etc.,
Note that a hardware keylogger is relatively easy to install and is able to defeat almost all your attempts (it records everything you type).

[SimonPeter]

....

It may be simpler and more effective to set up a Pi-hole ( https://pi-hole.net/ ) on your home network, which blocks various lists to block bad things, block common proxies, enforce SafeSearch on common searchengines, block common Public DNSes etc.,

You may also set up the DNS server(s) on your router (although this is easier to bypass).

NOTE: Ensure that your son has no physical access to the router and Pi-hole. Also ensure that he has no other means to access the internet.

- The best solution is to talk peacefully to your son and make him understand why ****ography is a devastating trap.
https://en.wikipedia.org/wiki/Opposition_to_****ography

[Aztaroth]

I am perfectly alright with ubuntu as it works with all of my peripherals and it does everything i needed, but one thing is very serious that my son is watching pornography on my system, i have somehow blocked all the pornography sites using energized **** ultimate list using hosts file, but he is more knowledgeable than me he mutated the hosts file and continue to pornography.

I want to know that is there any way to completely block pornograhical material using hosts file by making hosts file immutable even by root user? And by freezing dns resolving file to opendns family shield dns because opendns also blocks proxy servers by default so there will be no way to go to adult sites.

Please help me to resolve my issue.

I'm not sure you're seizing how high the stakes are, so apologizes to be blunt :
What you describe is clearly an addiction of your son's and should not be treated with administrator rights but with a therapy else he'll always be searching ways to circumvent whatever you'll set.
His addiction may :
- cost you very much if one day he slips to look at illegal material (young people involved, ...)
- jeopardize his whole emotional life thinking a "normal" woman does everything a male wants even if he comes home with the whole football team.
So, don't try to be a system administrator. Better be the parent who cares for his son I'm sure you are. That will be the best help. Or be ready to face the consequences described above some day...

[rathorecdn]

thank you very much all the valuable persons who answered me by typing this much long information and spending your valuable time for me.

i have searched and made the standard system account for my son, and i have revoke his internet surfing rights for that account, so he is not able to connect internet.

thank you, very much....

[kevin987]

thank you very much all the valuable persons who answered me by typing this much long information and spending your valuable time for me.

i have searched and made the standard system account for my son, and i have revoke his internet surfing rights for that account, so he is not able to connect internet.

thank you, very much....

If he knows what he's doing, he might get a USB stick and try to bypass your restrictions. He could set that up at a friend's place or wherever.

So you may need to password restrict your actual internet connection. Somewhat inconvenient.

[axrusar]

I would work on educating, counseling and boosting his confidence so he will get a girlfriend. Just going against his will by implementing (baypassable) technology locks will not work. Then you have the meta chit coming with more VR pr0n in the horizon

[SimonPeter]

thank you very much all the valuable persons who answered me by typing this much long information and spending your valuable time for me.

i have searched and made the standard system account for my son, and i have revoke his internet surfing rights for that account, so he is not able to connect internet.

thank you, very much....

What you describe is clearly an addiction of your son's and should not be treated with administrator rights but with a therapy else he'll always be searching ways to circumvent whatever you'll set.
...
So, don't try to be a system administrator. Better be the parent who cares for his son I'm sure you are. That will be the best help. Or be ready to face the consequences described above some day...

These are some ways that may be used to bypass your restrictions (and fixes for some of them):
1) There is also the possibility of booting in "Recovery mode" via the GRUB menu -- this takes him to a root shell (!).

2) He can also edit the kernel's command line (via the GRUB menu) and add some parameters.
eg. 1 to get directly into a root shell or init=/bin/bash and mount -o remount,rw / / to get into a root shell.

These 2 methods are widely available on the internet (eg: https://www.howtogeek.com/howto/linux/r ... s-or-less/).
Fix: set a GRUB password -- https://help.ubuntu.com/community/Grub2/Passwords .

3)

If he knows what he's doing, he might get a USB stick and try to bypass your restrictions. He could set that up at a friend's place or wherever.

So you may need to password restrict your actual internet connection. Somewhat inconvenient.

Even password restricting your actual internet connection will not do.
4) After getting a root shell, the network password(s) can be read from cat /etc/NetworkManager/system-connections/* (with only appropriate information, filtered with grep : cat /etc/NetworkManager/system-connections/* | grep -i -e 'ssid=' -e 'psk=' ).
This method is also widely available on the internet (eg: https://www.geeksforgeeks.org/wi-fi-pas ... dowslinux/ ).

5)

Still, there are many vulnerabilities in this method, like your son installing a keylogger via the BIOS / inserting a hardware keylogger (this possible because he has physical access) etc.,
Note that a hardware keylogger is relatively easy to install and is able to defeat almost all your attempts (it records everything you type).

[Hoser Rob]

... My advice would be to give him access via a user that does not have Admin rights....

That'd be what I'd try. Create a new user for him and do not include that acct in the sudoers group (which means no admin rights).

The hosts file is in /etc, which is part of the root (/) file system in Linux. Without a sudo password you cannot modify anything in root. So no more messing with the hosts file.