LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-07-2003, 05:11 PM   #1
arnieboy
LQ Newbie
 
Registered: Aug 2003
Distribution: Ubuntu Breezy
Posts: 18

Rep: Reputation: 0
prevent files from getting copied even though they have read permission


Hi there! I want to know how to let users compile a few fortran files on a server (of which I am the administrator) from a remote location with the help of a user id and password and yet not be able to copy any of the files on to their local machine.. and not even open the files to see what they consist of... (they have to have read permission if they have to be compiled..) how can I prevent them from being copied inspite of their having read permission?

Please be as explicit as u can in ur answer
 
Old 10-07-2003, 08:35 PM   #2
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
Hmmm, this is kinda devilish. ERASE all the text editors! I like the evil tone. Seriously if you erase the text editors and anything else not pertinent to compilation thats also able to view text, then it would be pretty hard to read the files. If all they do is compile and not modify, that doesn't sound like the fun programming I know. About copying files. Just allow them to access your box using SSH, not SFTP. That should solve the problem. If I missed something someone will likely correct me.

--tarballedtux
 
Old 10-08-2003, 09:33 AM   #3
arnieboy
LQ Newbie
 
Registered: Aug 2003
Distribution: Ubuntu Breezy
Posts: 18

Original Poster
Rep: Reputation: 0
hey thanx for the reply tar!
Could you advise me a bit further abt how to disallow users from accessing the server using anything other than SSH ??? (all kinds of FTP have to be barred)
 
Old 10-08-2003, 10:19 AM   #4
arnieboy
LQ Newbie
 
Registered: Aug 2003
Distribution: Ubuntu Breezy
Posts: 18

Original Poster
Rep: Reputation: 0
hey one more q!... How to prevent users from copying files from the server even though I have given them "read" permission.. Is there any such option in SSH?
 
Old 10-08-2003, 11:03 AM   #5
stickman
Senior Member
 
Registered: Sep 2002
Location: Nashville, TN
Posts: 1,552

Rep: Reputation: 53
I think you are going to find that this is going to be quite difficult to prevent. If the user can read the contents then file will probably get transfered. Even without sftp or scp, there are many way to transfer the files. Some of your users will even go so far as to cut and paste between windows. Using just the ssh command, a user could do something like:
ssh user@server "cat /etc/hosts" > hosts
You might just want to create a policy to prohibit this.
 
Old 10-08-2003, 11:22 AM   #6
arnieboy
LQ Newbie
 
Registered: Aug 2003
Distribution: Ubuntu Breezy
Posts: 18

Original Poster
Rep: Reputation: 0
Thanx Stick... but is it possible to disallow the copying of only certain files from the folder that I am giving the user access to while he has write permissions to the same folder. I mean to say that he can upload and download any number of files to the folder but cannot upload or open only a certain number of files which I dont want him to open or upload. he however can use the same files for linking with other files with the use of a compiler and a linker (which means I have to give the user read access to those files and yet he cannot copy them ).
got any ideas??
 
Old 10-08-2003, 11:39 AM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
Regarding your original question, could you please elaborate *why* you need this construction in the first place? I mean, if we know *why* then maybe we can help you explore alternative ways.

I remember handling a kinda similar case (IRC shell server) where users should be allowed compiling a bouncer without touching the source files. This may not apply to your specific case (hence a req for more background info) but what I suggested was separating the processes by preparing a full compiler chroot for an inert "nobody" type of user and only let the user submit a config (needs to be carefully parsed for malicious inserts). When OK'ed it would be dropped in the chroot, the binaries would be compiled and the resulting tarball dropped in, say, the local ftp tree for retrieval.

Last edited by unSpawn; 10-08-2003 at 11:41 AM.
 
Old 10-08-2003, 11:50 AM   #8
arnieboy
LQ Newbie
 
Registered: Aug 2003
Distribution: Ubuntu Breezy
Posts: 18

Original Poster
Rep: Reputation: 0
This is what I basically want to do.. a complete desc.

well its like this... the user should be able to upload a fortran file which he has modified and compile it on the server and then link the resulting objective files with certain pre-existing objective files and create an executable. He will then run the executable on the server and will be able to open and read certain files which are created as a result of the execution. He will also be able to download those files which are created. So basically he can upload and download all files except the exisiting objective files which I dont want him to download or open. But I have to give him "read" permission for the same files or else he wont be able to link them with the other objective files which he has created from his own source files (which he has uploaded from his local machine) on the server. How can I do that?

Last edited by arnieboy; 10-08-2003 at 11:51 AM.
 
Old 10-08-2003, 12:28 PM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,369
Blog Entries: 54

Rep: Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870Reputation: 2870
I. Thanks for your reply, but you still haven't told me why!


Awaiting the reasons or an explanation of the application itself, here's some additional questions:
II. should be able to upload a fortran file which he has modified
How rigorous are these modifications? Are there many? Is there a common ground? Could certain mods be "grouped and prepacked" in sets? Any other repetitive patterns to be seen?

III. then link the resulting objective files with certain pre-existing objective files
Are all linkages uniq? Are there many? Is there a common ground? Could they be "grouped and prepacked" in sets? Any other ways of coming up with patterns I've overlooked?

IV. He will then run the executable on the server
What privileges does this app need? In other words, what resources on the system does this app need (access to) and does running it as a lesser privileged user change any of the expected results?

V. and will be able to open and read certain files which are created as a result of the execution.
Where will the output files be created?
What type of files are created?
 
Old 10-08-2003, 03:12 PM   #10
tarballedtux
Member
 
Registered: Aug 2001
Location: Off the coast of Madadascar
Posts: 498

Rep: Reputation: 30
It sounds like the users are uploading files ONLY, and compiling them on the server and running the executable. But you do not want them to read the files or download anything. Like I said before erase all text editors or change their permissions. Change "cat" permissions too. Whatever could be used to read files or otherwise view text change their permissions.


By nature SSH alone cannot be used to copy files. SFTP will allow file transfer. If you want to allow them to write files to the server but not take then maybe edit the source code for the "get" command make it unusable. Then again also make it so they can't SSH out of your box or they could "put" the files someone else.

Again if we knew the reason for this situation that could help me iron out a better solution.

--tarballedtux
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
files being copied into root mercy420 Slackware 1 06-18-2005 07:23 AM
Problem accessing files copied from CD to HD wildebs_27 Linux - Newbie 7 01-07-2005 06:23 PM
WinXP can't read linux files copied to FAT32 partition gdh Linux - General 1 08-07-2004 10:31 AM
No files are copied to disk capodan Slackware 2 05-19-2003 03:54 AM
compile files copied from windows max_linuxquesti Linux - Software 4 12-19-2002 02:00 PM


All times are GMT -5. The time now is 05:20 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration