Isolating read access to only to one file only by another file.

jon_k · 08-13-2004, 07:07 PM

I'd like to be able to set up a server application that can only READ a certain file. Say a user owns a file called "server", I don't want the user to be able to gain access to the file "huh" but I wan't the server (which is under that persons username) to be able to access it.

Is this possible? And most importantly which way would I do this?

Regards,

jschiwal · 08-13-2004, 09:21 PM

If the file owner doesn't have read access for the owner (u) permission bit, then the file can't be read even if the group access allows it. You may want to test this. I read it in a 'Programming by Example' book.

I'm not sure that I understood the question. You want write only access to a certain directory for a user, to create a file that a server of some type uses?

Or perhaps you are thinking more of writing to a named pipe that the server has exclusive read access to?

foo_bar_foo · 08-13-2004, 10:12 PM

here is an example of the locking mechanism

Code:

#include <fcntl.h>
#include <stdio.h>
#include <string.h>
#include <unistd.h>

int main (int argc, char* argv[])
{
  char* file = argv[1];
  int fd;
  struct flock lock;

  printf ("opening %s\n", file);
  /* Open a file descriptor to the file.  */
  fd = open (file, O_WRONLY);
  printf ("locking\n");
  /* Initialize the flock structure.  */
  memset (&lock, 0, sizeof(lock));
  lock.l_type = F_WRLCK;
  /* Place a write lock on the file.  */
  fcntl (fd, F_SETLKW, &lock);

  printf ("locked; hit enter to unlock... ");
  /* Wait for the user to hit enter.  */
  getchar ();

  printf ("unlocking\n");
  /* Release the lock.  */
  lock.l_type = F_UNLCK;
  fcntl (fd, F_SETLKW, &lock);

  close (fd);
  return 0;
}

jon_k · 08-14-2004, 05:16 AM

Well... let me break it down in to this:

We have an account called john doe.
We also have an account called joe-sixpack

John doe has a server binary in /home/jondoe/server/bin/serverbinary
Joe sixpack has a server binary in /home/joesix/server/bin/serverbinary

Server binary has a config file that it loads located in /home/<user>/server/bin/config.conf

This config file loads plugins in a "centralized location" so we don't have to have such plugins/config files in each users account.

Server config file looks something like
loadplugin /home/shared/pluginbin/plugin.so /home/shared/plug-conf/plugin.conf
loadplugin /home/shared/pluginbin/plugin2.so /home/shared/plug-conf/plugin2.config

We want joesixpack and jon doe to:
Be able to:
Run the serverbinary under their own account name (and of course, the serverbinary needs access privilages to read the plugin and plugin config (but NOT to write))
To [b]NOT[b] be able to:
Give the user jondoe or joesixpack the ability to grab the the plugins or configuration for such from our '/home/shared' directory.

In otherwords we want the serverbinary who resides and executes under each user to be able to read plugins and configs

However we DON'T want the user itself to be able to read (download or view) the plugin it's config

So... in other words... have the serverbinary have read access to a file ---- have the user itself not have read-access
(Yet have the binary run under the users name)

So... in other words -- giving one indvidual file read-access to another file... rather than giving the entire user read-access

Is this impossible for this current setup we have?