prevent files from getting copied even though they have read permission
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
prevent files from getting copied even though they have read permission
Hi there! I want to know how to let users compile a few fortran files on a server (of which I am the administrator) from a remote location with the help of a user id and password and yet not be able to copy any of the files on to their local machine.. and not even open the files to see what they consist of... (they have to have read permission if they have to be compiled..) how can I prevent them from being copied inspite of their having read permission?
Hmmm, this is kinda devilish. ERASE all the text editors! I like the evil tone. Seriously if you erase the text editors and anything else not pertinent to compilation thats also able to view text, then it would be pretty hard to read the files. If all they do is compile and not modify, that doesn't sound like the fun programming I know. About copying files. Just allow them to access your box using SSH, not SFTP. That should solve the problem. If I missed something someone will likely correct me.
I think you are going to find that this is going to be quite difficult to prevent. If the user can read the contents then file will probably get transfered. Even without sftp or scp, there are many way to transfer the files. Some of your users will even go so far as to cut and paste between windows. Using just the ssh command, a user could do something like:
ssh user@server "cat /etc/hosts" > hosts
You might just want to create a policy to prohibit this.
Thanx Stick... but is it possible to disallow the copying of only certain files from the folder that I am giving the user access to while he has write permissions to the same folder. I mean to say that he can upload and download any number of files to the folder but cannot upload or open only a certain number of files which I dont want him to open or upload. he however can use the same files for linking with other files with the use of a compiler and a linker (which means I have to give the user read access to those files and yet he cannot copy them ).
got any ideas??
Regarding your original question, could you please elaborate *why* you need this construction in the first place? I mean, if we know *why* then maybe we can help you explore alternative ways.
I remember handling a kinda similar case (IRC shell server) where users should be allowed compiling a bouncer without touching the source files. This may not apply to your specific case (hence a req for more background info) but what I suggested was separating the processes by preparing a full compiler chroot for an inert "nobody" type of user and only let the user submit a config (needs to be carefully parsed for malicious inserts). When OK'ed it would be dropped in the chroot, the binaries would be compiled and the resulting tarball dropped in, say, the local ftp tree for retrieval.
This is what I basically want to do.. a complete desc.
well its like this... the user should be able to upload a fortran file which he has modified and compile it on the server and then link the resulting objective files with certain pre-existing objective files and create an executable. He will then run the executable on the server and will be able to open and read certain files which are created as a result of the execution. He will also be able to download those files which are created. So basically he can upload and download all files except the exisiting objective files which I dont want him to download or open. But I have to give him "read" permission for the same files or else he wont be able to link them with the other objective files which he has created from his own source files (which he has uploaded from his local machine) on the server. How can I do that?
I. Thanks for your reply, but you still haven't told me why!
Awaiting the reasons or an explanation of the application itself, here's some additional questions:
II. should be able to upload a fortran file which he has modified
How rigorous are these modifications? Are there many? Is there a common ground? Could certain mods be "grouped and prepacked" in sets? Any other repetitive patterns to be seen?
III. then link the resulting objective files with certain pre-existing objective files
Are all linkages uniq? Are there many? Is there a common ground? Could they be "grouped and prepacked" in sets? Any other ways of coming up with patterns I've overlooked?
IV. He will then run the executable on the server
What privileges does this app need? In other words, what resources on the system does this app need (access to) and does running it as a lesser privileged user change any of the expected results?
V. and will be able to open and read certain files which are created as a result of the execution.
Where will the output files be created?
What type of files are created?
It sounds like the users are uploading files ONLY, and compiling them on the server and running the executable. But you do not want them to read the files or download anything. Like I said before erase all text editors or change their permissions. Change "cat" permissions too. Whatever could be used to read files or otherwise view text change their permissions.
By nature SSH alone cannot be used to copy files. SFTP will allow file transfer. If you want to allow them to write files to the server but not take then maybe edit the source code for the "get" command make it unusable. Then again also make it so they can't SSH out of your box or they could "put" the files someone else.
Again if we knew the reason for this situation that could help me iron out a better solution.