How do I can linux flock command to prevent another root process deleting a file?

Question

Hello there, I would like to prevent one of my root process from deleting a certaing file. So I came across the flock command, it seems to fit my need, but I didnt get its sintax.

If I only indicate a shared lock, it doesnt work:
flock -s "./file.xml"

If I add a timeout parameter, it still doesnt work
flock -s -w5 "./file.xml"

It seems that way, it fits in flock [-sxun][-w #] fd# way.
(What is this fd# parameter?)

So, I tried the flock [-sxon][-w #] file [-c] command
Using flock -s -w5 "./file.xml" -c "tail -3 ./file.xml" and it worked, tail command at ./file.xml was executed.
But I would like to know, does the lock end after the command or does it last 5 seconds after the end of the command execution? My main question is, how can I prevent another root process deleting a file in linux?

Answer 1

No, flock does NOT prevent anyone from doing anything. Unix locks are ADVISORY, which means that they prevent other processes from also calling flock (or in the case of a shared lock, prevent another process using an exclusive one).

It doesn't stop root, or anyone else, from reading, writing or deleting the file.

In any case, even if it was a mandatory lock, it wouldn't stop the file being deleted, as it's the file being locked not the directory entry.

Answer 2

MarkR is correct chattr'ing the file will prevent it from being deleted.

-(~)-------------------------------------------------------------------------------------------------------(08:40 Mon Mar 29)
risk@DockMaster [2135] --> sudo chattr +i junk.txt
[sudo] password for risk: 
-(~)-------------------------------------------------------------------------------------------------------(08:40 Mon Mar 29)
risk@DockMaster [2136] --> sudo rm ./junk.txt 
rm: cannot remove `./junk.txt': Operation not permitted
zsh: exit 1     sudo rm ./junk.txt
-(~)-------------------------------------------------------------------------------------------------------(08:40 Mon Mar 29)
risk@DockMaster [2137] --> sudo rm -f ./junk.txt
rm: cannot remove `./junk.txt': Operation not permitted
zsh: exit 1     sudo rm -f ./junk.txt
-(~)-------------------------------------------------------------------------------------------------------(08:40 Mon Mar 29)
risk@DockMaster [2138] --> 

Answer 3

flock is not the right tool for this job. If you have a programme that is deleting files, you should not run that programme as root. You should run it as a different user. Unix has very good support for file permissions, but root is a god account. Root can do everything, and there are no permissions for root.