Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Iam running RHEL5 and have several users accessing the samba share from windows machines.the share contains several documents for users to read and we monitor their usage.But recently some of them have started copying these documents locally to their machines. Is there a way to set acl to those documents to read only and no copy.THese are in pdf formats.
No, there isn't anything like no-copy permissions.
One solution might involve the reader program running on a remote server with the display displayed on the client machine. Then the user would have to resort to cut & paste or screen capture.
The pdf files wouldn't be on a share in that case, but accessible by the program running remotely.
For Linux clients, using ssh & x-forwarding might work. If you had Cygwin/X installed on the Windows client machines, you could use the same solution. Cygwin/X would install an X11 server on the Windows clients.
I'm not certain how best to allow launching a pdf reader remotely without allowing ssh logins. Perhaps using a ForceCommand entry (in sshd_config) inside a Match block. The sshd_config has details on this. I don't know if this will work with "ssh -X" however.
The short answer: No - if a file can be read it can be copied.
The long answer: Force them to view the pages via a web browser which renders to bitmaps. They can still copy, but it will be a huge nuisance and the quality will be poor. They will never be able to print high quality copies either.
One other possibility (but I can't be 100% sure - it's been 4 years since I read the PDF1.5 spec) is to use encryption and certificates. The PDF will have a URL which calls back to the server - if the request comes from the internal network blah blah blah, then the certificate is verified - otherwise rejected. That's the best you can do really - let them copy something they can't read.
Overall, your question suggests to me that you have something wrong with your methods and policies. It sounds like you have files which need to be accessible only via a secure client which sits in a room and has no physical access to any storage devices or any software means of transmitting the files (i.e. email or even printing to anything but a 'secure' printer). These are the kind of restrictions you need to live with if you want the level of security that you seem to be suggesting.
Thanks guys for replying back..the environment where we are right now reuires tem of people going on learning mode and the documents in pdf accessed for this purpose from diff projects and locations on this particular samba share.May be as a lost resort i can try putting them as a ebook disabling all options.But pinipped , I will look into the options in pdf to crate a link to call another one.Can you give me more info on that.I can bring adobe professional for this purpose in.will that do the trick .Either way the content is protected from modification.But its the redistribution of these documents outside our company's boundaries that we want stopped.not sure where ssh is involved here, as they access it directly from a samba share.Will look into what u told as well jschiwal.
If you'll be spending that amount of money, Adobe would probably be happy to answer questions before you buy. Just ask if there's some way to set up so that you have to be using a computer on site to read the files - just tell them your situation (people copying and walking off with training material). They probably get these sorts of requests from industry all the time, which is why encryption and signed certificates were introduced.
I only know that the PDF can refer to other files via a URL, so I was just hypothesizing that this feature can be exploited to provide the cipher key to people on site. Like I said, it's been a very long time since I read the specs (and they've been modified twice since then).
The idea of using ssh is because you would run a PDF viewer program on the server, and move the PDF files from a samba share to a directory that users don't have access to. Ssh can forward X11 to the user so that the program window is displayed on the users computer even though it is running on a remote machine. The remote machine has access to the PDF files but the user doesn't. Adobe also has an acroread program for Linux so Windows users wouldn't notice much difference.
There may be some work if you want to configure shortcuts to start Cygwins X11 server and auto run a viewer.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.