Hi. On Mon, Sep 25, 2017 at 11:33:50AM -0400, Gene Heskett wrote: > > I mean, unless this is a laptop or a tablet or a phone or something. > > Then it may be appropriate, because you might actually WANT your > > resolv.conf file to be rewritten every time the wind changes > > direction. > > > > For desktop machines with a static internal network configuration, > > it's an abomination. And unfortunately it's not the only malevolent > > fiend trying to usurp control of your resolv.conf file. There's also > > dhclient, and network-manager, and systemd-resolved, and who knows > > what else. > > > > See <https://www.cyberciti.biz/faq/dhclient-etcresolvconf-hooks/> for > > some of your options. Of course, before you can apply any of those > > suggestions, you have to seize back control of your resolv.conf file > > in the first place. Make sure it's a FILE and not a symlink, and put > > the correct content into it. Make sure name resolution works. Then > > choose your favorite solution to keep the file under YOUR control. > > For me, its a root session, and a "chattr +i resolv.conf" > If for some reason you need to edit it later, you'll have to use the -i > argument first. As long as that +i bit is set, its protected from > everything but a mke2fs.
A common misconception. Here's how a determined userspace can beat immutable bit: # mkdir testetc # touch testetc/resolv.conf # chattr +i testetc/resolv.conf # mv testetc/ testetc.orig # mkdir testetc # touch testetc/resolv.conf # echo evil dns > testetc/resolv.conf Of course you could try to counter that with "chattr +i /etc", but doing *that* should break an unimaginable number of things. If you really need immutable /etc/resolv.conf you should try the Read-Only Root Debian - [1]. [1] https://wiki.debian.org/ReadonlyRoot Reco
