prevent files from getting copied even though they have read permission
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
prevent files from getting copied even though they have read permission
Hi there! I want to know how to let users compile a few fortran files on a server (of which I am the administrator) from a remote location with the help of a user id and password and yet not be able to copy any of the files on to their local machine.. and not even open the files to see what they consist of... (they have to have read permission if they have to be compiled..) how can I prevent them from being copied inspite of their having read permission?
Hmmm, this is kinda devilish. ERASE all the text editors! I like the evil tone. Seriously if you erase the text editors and anything else not pertinent to compilation thats also able to view text, then it would be pretty hard to read the files. If all they do is compile and not modify, that doesn't sound like the fun programming I know. About copying files. Just allow them to access your box using SSH, not SFTP. That should solve the problem. If I missed something someone will likely correct me.
hey thanx for the reply tar!
Could you advise me a bit further abt how to disallow users from accessing the server using anything other than SSH ??? (all kinds of FTP have to be barred)
hey one more q!... How to prevent users from copying files from the server even though I have given them "read" permission.. Is there any such option in SSH?
I think you are going to find that this is going to be quite difficult to prevent. If the user can read the contents then file will probably get transfered. Even without sftp or scp, there are many way to transfer the files. Some of your users will even go so far as to cut and paste between windows. Using just the ssh command, a user could do something like:
ssh user@server "cat /etc/hosts" > hosts
You might just want to create a policy to prohibit this.
Thanx Stick... but is it possible to disallow the copying of only certain files from the folder that I am giving the user access to while he has write permissions to the same folder. I mean to say that he can upload and download any number of files to the folder but cannot upload or open only a certain number of files which I dont want him to open or upload. he however can use the same files for linking with other files with the use of a compiler and a linker (which means I have to give the user read access to those files and yet he cannot copy them ).
got any ideas??
Regarding your original question, could you please elaborate *why* you need this construction in the first place? I mean, if we know *why* then maybe we can help you explore alternative ways.
I remember handling a kinda similar case (IRC shell server) where users should be allowed compiling a bouncer without touching the source files. This may not apply to your specific case (hence a req for more background info) but what I suggested was separating the processes by preparing a full compiler chroot for an inert "nobody" type of user and only let the user submit a config (needs to be carefully parsed for malicious inserts). When OK'ed it would be dropped in the chroot, the binaries would be compiled and the resulting tarball dropped in, say, the local ftp tree for retrieval.
This is what I basically want to do.. a complete desc.
well its like this... the user should be able to upload a fortran file which he has modified and compile it on the server and then link the resulting objective files with certain pre-existing objective files and create an executable. He will then run the executable on the server and will be able to open and read certain files which are created as a result of the execution. He will also be able to download those files which are created. So basically he can upload and download all files except the exisiting objective files which I dont want him to download or open. But I have to give him "read" permission for the same files or else he wont be able to link them with the other objective files which he has created from his own source files (which he has uploaded from his local machine) on the server. How can I do that?
I. Thanks for your reply, but you still haven't told me why!
Awaiting the reasons or an explanation of the application itself, here's some additional questions:
II. should be able to upload a fortran file which he has modified
How rigorous are these modifications? Are there many? Is there a common ground? Could certain mods be "grouped and prepacked" in sets? Any other repetitive patterns to be seen?
III. then link the resulting objective files with certain pre-existing objective files
Are all linkages uniq? Are there many? Is there a common ground? Could they be "grouped and prepacked" in sets? Any other ways of coming up with patterns I've overlooked?
IV. He will then run the executable on the server
What privileges does this app need? In other words, what resources on the system does this app need (access to) and does running it as a lesser privileged user change any of the expected results?
V. and will be able to open and read certain files which are created as a result of the execution.
Where will the output files be created?
What type of files are created?
It sounds like the users are uploading files ONLY, and compiling them on the server and running the executable. But you do not want them to read the files or download anything. Like I said before erase all text editors or change their permissions. Change "cat" permissions too. Whatever could be used to read files or otherwise view text change their permissions.
By nature SSH alone cannot be used to copy files. SFTP will allow file transfer. If you want to allow them to write files to the server but not take then maybe edit the source code for the "get" command make it unusable. Then again also make it so they can't SSH out of your box or they could "put" the files someone else.
Again if we knew the reason for this situation that could help me iron out a better solution.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.