[SOLVED] Symbolic Link with Reduced Access

gabs247 · 11-03-2019, 07:19 PM

Hi,

I've been trying to figure out if this is possible or not, and how to implement it?

I have a Source folder with files A, B and C.

I want to create a Limited Access Folder with only access to files A and B but not C. I don't want to duplicate the data.

I was thinking of a Symbolic link, and maybe adding permissions for a user to only see files A and B and not C?

The problem is, that I want to use a service account to access the two folders, Source and Limited and so then it'll have access to all the files anyway, so that wouldn't work?

Hope that makes sense, and someone may have a suggestion? Thanks

scasey · 11-03-2019, 07:38 PM

A link’s permissions are not relevant. links “inherit” the permissions of the file being linked to.
Whatever you set the ownership of the original file(s) to will be reflected in the link(s)

If you don’t want the limited user to see file C, just don’t create a link to file C in the limited folder...

gabs247 · 11-03-2019, 08:40 PM

Quote:

Originally Posted by scasey

A link’s permissions are not relevant. links “inherit” the permissions of the file being linked to.
Whatever you set the ownership of the original file(s) to will be reflected in the link(s)

If you don’t want the limited user to see file C, just don’t create a link to file C in the limited folder...

Yep, that's what I thought. So I'm wondering if there's a way to implement this scenario?

scasey · 11-03-2019, 08:45 PM

Quote:

Originally Posted by gabs247

So I'm wondering if there's a way to implement this scenario?

Um...

Quote:

Originally Posted by scasey

If you don’t want the limited user to see file C, just don’t create a link to file C in the limited folder...

berndbausch · 11-04-2019, 01:52 AM

Just in case file C must exist in the second folder but not be accessible, explore bind mounts. You bind mount the source directory to the destination, and if I am not wrong, you can apply your own permissions on the destination.

tshikose · 11-04-2019, 05:22 AM

Hi,

If you can keep all the required folders in a same file system (any ext? or xfs will do), you can then create hard links to files (thus not duplicating them) and assign different ownerships and permissions.

Code:

mkdir -p /tmp/source /tmp/alice /tmp/bob
date > /tmp/source/file

ln /tmp/source/file /tmp/alice/file
chown alice /tmp/alice/file
chmod 700 /tmp/alice/file

ln /tmp/source/file /tmp/bob/file
chown bob /tmp/bob/file
chmod 400 /tmp/bob/file

ls -il /tmp/source/file /tmp/alice/file /tmp/bob/file

ehartman · 11-04-2019, 11:19 AM

Quote:

Originally Posted by tshikose

If you can keep all the required folders in a same file system (any ext? or xfs will do), you can then create hard links to files (thus not duplicating them) and assign different ownerships and permissions.

As hardlinks link to the I-node itself and ownership and/or permissions are stored IN that I-node, when you change either of them they will be changed for BOTH of the links.
So in fact creating a hard link and then changing ownership or permissions works out as being the same as changing those for the original file.
There is only a single ownership/group and/or permissions field IN the I-node, the hard link is just "an extra filename" for that I-node/file.

tshikose · 11-05-2019, 03:54 AM

Hi,

Sorry my post #6 did not give the expected results.
I had not tested it before.
Please ignore it.

ehartman is right.

LinuxGeek46 · 11-06-2019, 06:55 AM

So this might seem counterintuitive but it will work regardless of where the file resides or links to it or the directory in which it resides.

First set the ownership of the file to that of the user you want to have no access to it and the group ownership to that of the group you do want to have access to it. Then set the permissions to 076 ---rwxrw- which says that the owner can not read, write or execute the file and that the group can do all three. Anyone else (Other) can read and write the file.

I hope this helps.

Peverel · 11-06-2019, 02:13 PM

Yes, LinuxGeek46, but an owner can change permissions herself, even then delete the file.

gabs247 · 11-06-2019, 03:37 PM

Quote:

Originally Posted by scasey

Um...

Apologies, I either didn't read this properly or only saw the Frist part in the email and replied quickly without reading the rest...but that seems so obvious now! Thanks for showing me what was in front of my eyes all along!

Basically, I need to come up with a script that only creates links to file that I want in the other location 👌

gabs247 · 11-06-2019, 03:38 PM

Thanks everyone for trying to come up with alternatives, but it seems the simplest solution is often the best (of only I'd realised it myself) ��

scasey · 11-06-2019, 03:43 PM

Quote:

Originally Posted by gabs247

Apologies, I either didn't read this properly or only saw the Frist part in the email and replied quickly without reading the rest...but that seems so obvious now! Thanks for showing me what was in front of my eyes all along!

Basically, I need to come up with a script that only creates links to file that I want in the other location 👌

No worries. "Forest for the trees," as they say.

If you want, you can mark the thread SOLVED using the thread tools at the top of the page.

rknichols · 11-06-2019, 03:49 PM

Keep in mind that anyone who sees the links in that "Limited Access" folder can simply go to the target directory and see all the files. There is no way to make a file or directory accessible only via a symlink. If the link resolver can follow the path, so can the user. You can make that directory "sort of" private by not giving the user "read" permission on the directory. That will prevent listing the contents of the directory, but any known (or guessed) file name can still be accessed.

gabs247 · 11-06-2019, 03:54 PM

The other users are my kids, I think I have a few more years before they figure out how to access a computer...and they don't have access to the server anyway, only via Plex (which is the other account I'm talking about, using Docker).