Fedora Linux Support Community & Resources Center

Go Back   FedoraForum.org > Fedora 19/20 > Security and Privacy
FedoraForum Search

Forgot Password? Join Us!

Security and Privacy Sadly, malware, spyware, hackers and privacy threats abound in today's world. Let's be paranoid and secure our penguins, and slam the doors on privacy exploits.

Reply
 
Thread Tools Search this Thread Display Modes
  #1  
Old 12th July 2012, 10:27 PM
leojau Offline
Registered User
 
Join Date: Jun 2012
Location: Brazil
Posts: 7
windows_7ie
Permissions - Special Case

Hi everyone,

My problem is: I have to create an user (admin maybe) with full permissions (rwx) to other users (regular users) files without using the sudo command.

The system has a crontab job (as root obviously) that will remove all permissions when necessary from files a I choose. So this new user that i need should be able to read and execute, but not to change the files or their permissions, cause it won't execute as root.

Any ideas? Thanks.
Leonardo

p.s. I'm using Fedora13
Reply With Quote
  #2  
Old 14th July 2012, 08:47 AM
stevea Online
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,845
linuxfirefox
Re: Permissions - Special Case

I think your question is confused ...

Quote:
Originally Posted by leojau View Post
I have to create an user (admin maybe) with full permissions (rwx) to other users (regular users) files without using the sudo command.
This requirement has nothing to do with the discretionary access control (DAC) used on Linux and other POSIX OSes file systems. A privileged user has special access, the file owner, member of the group-owner group and 'other' each have rwx permission sets. With the addition of ACLs (access control lists, a filesystem mount option) then you can add additional group and user access permissions and also a mask. BUT there is a huge problem. The file owner, or the privileged user can disable all these permissions. Thas hat discretionary means - it means access is at the discretion of the file owner.

The only way to necessarily have any permission to a file owned by someone else is to use the MAC (mandatory access control) schemes. One ultra simple MAC use root privileges like 'su'. Another more fine-grained is to use 'capabilities' and give the user 'CAP_FOWNER priviege as inheritable. Most fine-grained but complex is to write an SELinux policy.


Quote:
The system has a crontab job (as root obviously) that will remove all permissions when necessary from files a I choose. So this new user that i need should be able to read and execute, but not to change the files or their permissions, cause it won't execute as root.
In the first statement you say "with full permissions (rwx)" and now you say something different "not change the files" means no write permission. 'Not change permissions" means not owner (nor privileged) and you likely want no write permission for directories.





Quote:
Any ideas? Thanks.
Leonardo

p.s. I'm using Fedora13
Idea 1 - upgrade to a current Fedora.
Idea 2 - describe what you actually want to accomplish. You seem to want a special account that can read and execute everything. Do you really want to execute a non-exeutable file ? Do you know what execute privilege means for a directory ? Read "man chmod". Describe what the actual goal is.

There are ways to do something like this by creating a special privileged binary program - not a script tho'.
.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
  #3  
Old 14th July 2012, 09:53 AM
leojau Offline
Registered User
 
Join Date: Jun 2012
Location: Brazil
Posts: 7
windows_7ie
Re: Permissions - Special Case

I'll try to explain better... I'm also a little confused yet about the final result.

I'm working on an existing project and extending its capabilities. The system worked with a single server and multiple clients. It uses Fedora13.
My job is to make the system capable of runnig with multiple (N) servers and replicate the data between them.

I achieved the replication and my systems works. It still needs improvements and one of them is trying to be solved here.
I'll describe the problem:
Server A has one of it's files updated. Now it needs to replicate and make sure the other N servers have this same file version.
The problem occurs when servers A and B are updated locally at almost the same time before they spread their local update to the others. Update on A could override update on B, or B override A.

I have some daemon-like script that watches for these local updates and triggers the replication.
What I need is to develop a manner to lock the file inside the others N servers.
I need to develop a script that lock (no writing) the specified local files when necessary.

I can do that locking by "chmod a=rx myfile" being the owner of the myfile or as root (sudo ...).
These files that are locked could belong to a regular user (Joe) or could be system files like "/etc/group". This lock command will be given by a "crontab job" as root. That means it can lock or unlock anything.

Problem 1)
I will need a user's manager that will be capable of "rwx" any file inside the /home/ directory. That is problem number 1.
How I do that? I haven't thought enough yet, but I'm pretty sure that the person operating this manager-user will not have root's password.
Let's focus on problem 1 for now.

I'm pretty new with Linux and i don't know yet how Linux permissions work, except for the -rwxr-xr-x Joe users meaning.
Thanks a lot for your help so far!

---------- Post added at 05:53 AM ---------- Previous post was at 05:42 AM ----------

Due to this System's nature, the Joe-like users have no access to any of it's files. It's all isolated from them.

Last edited by leojau; 14th July 2012 at 09:49 AM.
Reply With Quote
  #4  
Old 14th July 2012, 10:51 AM
SlowJet Offline
Registered User
 
Join Date: Jan 2005
Posts: 5,048
linuxfirefox
Re: Permissions - Special Case

Interesting.

I am curiuos as to what type of files hese are and how they get updated and why there is no
Office Document Dept., Database, Engineering Offical red stamp, etc.
No data ownership (Base Data)?

The is what made Oracle, Mysql, Office Apps, (and some very powerful unix tools for their time.) and version contorl.

So the employees run the company and you do what yor told because you like your paycheck,
and it interesting.

Hope it's not a manufacturing plant.

SJ
__________________
Do the Math

Last edited by SlowJet; 14th July 2012 at 11:06 AM. Reason: added version contol
Reply With Quote
  #5  
Old 14th July 2012, 08:00 PM
stevea Online
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,845
linuxfirefox
Re: Permissions - Special Case

Quote:
Originally Posted by leojau View Post
I'll try to explain better... I'm also a little confused yet about the final result.

I'm working on an existing project and extending its capabilities. The system worked with a single server and multiple clients. It uses Fedora13.
My job is to make the system capable of running with multiple (N) servers and replicate the data between them.

I achieved the replication and my systems works. It still needs improvements and one of them is trying to be solved here.
I'll describe the problem:
Server A has one of it's files updated. Now it needs to replicate and make sure the other N servers have this same file version.
The problem occurs when servers A and B are updated locally at almost the same time before they spread their local update to the others. Update on A could override update on B, or B override A.
This is a synchronization problem and can be very hard to solve well.

Quote:
I have some daemon-like script that watches for these local updates and triggers the replication.
What I need is to develop a manner to lock the file inside the others N servers.
Creating a lock or a semaphore to prevent simultaneous access is the classical solution.
But what does the application do if it tries to update the file and fails to gain write permission ?

Quote:
I need to develop a script that lock (no writing) the specified local files when necessary.

I can do that locking by "chmod a=rx myfile" being the owner of the myfile or as root (sudo ...).
I think "chmod a-w myfile" is closer to what you want - you don't want to add read execute permission needlessly, you want to remove write access.

If I understand you correclty the problem is that you must create this 'lock' on all other systems BEFORE the first system can modify the file. That's very difficult to do accurately in the case another system is trying to create a lock on the same file at the same time. The fact the cron is involved puzzles me - maybe I don't understand your problem.


Quote:
These files that are locked could belong to a regular user (Joe) or could be system files like "/etc/group". This lock command will be given by a "crontab job" as root. That means it can lock or unlock anything.

Problem 1)
I will need a user's manager that will be capable of "rwx" any file inside the /home/ directory. That is problem number 1.
How I do that? I haven't thought enough yet, but I'm pretty sure that the person operating this manager-user will not have root's password.
Let's focus on problem 1 for now.
How often does the cron job run ? What happens if the file to be locked has already been modified locally ?

The user-manager does what exactly - does it copy the modified files from the other servers ? Then remove the locks ?

You can create a privileged application in C for example) that users may run, but its unclear what this user-manager does.






Quote:
I'm pretty new with Linux and i don't know yet how Linux permissions work, except for the -rwxr-xr-x Joe users meaning.
Thanks a lot for your help so far!

---------- Post added at 05:53 AM ---------- Previous post was at 05:42 AM ----------

Due to this System's nature, the Joe-like users have no access to any of it's files. It's all isolated from them.

==========================

Let me point to a few things just to give you some ideas to think about. I still don't understand your task well enough to describe a solution.


When a user logs into a system they are assigned a numberical userid (uid) and a list of several group-ids (gid) where there is one special primary gid. Each process also has a SELinux context.
Quote:
[stevea@crucibulum Desktop]$ id
uid=1020(stevea) gid=1020(stevea) groups=1020(stevea),10(wheel),1099(everyone) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
So this says my uid is 1020, my primary-gid is also 1020, and I belong to groups 'everyone', 'wheel' and have an SELcontext of "context=unconfined_u:unconfined_r:unconfined_ t:s0-s0:c0.c1023".

If you have a basic POSIX DAC permission scheme (rwxrwxrwx) then yo uhave a set of premissions for the file-owner, the file-group and other' or everyone else.
Quote:
[stevea@crucibulum Desktop]$ ls -l /tmp/8061.pdf
-r--------. 1 stevea stevea 226849 Jul 7 08:47 /tmp/8061.pdf
So this pdf file is owned by uid stevea(1020) has group-owner gid stevea(1020) and only grants read permission to the owner uid.

If you mount a filesystem with the acl' option, then we can introduce more permissions for more users per file. Like ....
Code:
[stevea@crucibulum Desktop]$ sudo mount -o remount,acl /
[stevea@crucibulum Desktop]$ getfacl /tmp/8061.pdf 
getfacl: Removing leading '/' from absolute path names
# file: tmp/8061.pdf
# owner: stevea
# group: stevea
user::r--
group::---
other::---
[stevea@crucibulum Desktop]$ setfacl -m u:pulse:rw /tmp/8061.pdf 
[stevea@crucibulum Desktop]$ setfacl -m g:wireshark:rwx /tmp/8061.pdf 
[stevea@crucibulum Desktop]$ getfacl /tmp/8061.pdf 
getfacl: Removing leading '/' from absolute path names
# file: tmp/8061.pdf
# owner: stevea
# group: stevea
user::r--
user:pulse:rw-
group::---
group:wireshark:rwx
mask::rwx
other::---

But the file owner is able to changing these DAC properties at will.

==============

A non-owner user can gain the privileges of file owner by becoming root (see 'su and 'sudo') by running a program theat grants privilege (se 'setuid' on "man chown"), or by running a program with 'capabilities' like CAP_DAC_OVERRIDE (see "man 7 capabilities" ,"man setcap" ,"man capsh"), so for example you might create a special copy of 'cat' that only group 'stevea' can execute that is capable of reading any file ....

# one time - root creates special 'cat' for stevea
sudo cp /usr/bin/cat /usr/bin/steveacat
sudo chgrp stevea /usr/bin/steveacat
sudo chmod uo-rwx /usr/bin/steveacat
sudo setcap cap_dac_override+ep /usr/bin/steveacat


So then members of group stevea can use this special copy of 'cat' to gain DAC (rwx) control of any file.

Quote:
[stevea@crucibulum Desktop]$ cat /root/.bashrc
cat: /root/.bashrc: Permission denied
[stevea@crucibulum Desktop]$ steveacat /root/.bashrc
# .bashrc

# User specific aliases and functions

alias rm='rm -i'
alias cp='cp -i'
....
So capabilities applied to a specific binary can give very specific privileges to a specific users or groups.

It's better to grant privilege base on group membership rather than owner since then the useer doesn't own the file and cannot change it's DAC.


========================

Linux/UNIX has a concept of locking files,
man flock
man 2 flock
If one program has an exclusive lock, then no other can gain that,

It's possible to use shared file systems , like NFS that can support file locking across a network.
========================
"man inotify" descibes a scheme for watching for changes in files. A socket connection to a file can do similar.

========================

I *think* you want some way to have a central lock authority, perhaps across a network. It might make sense to custom-build a file lock&copy manager server. Unclear.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe

Last edited by stevea; 14th July 2012 at 08:02 PM.
Reply With Quote
  #6  
Old 17th July 2012, 09:09 AM
leojau Offline
Registered User
 
Join Date: Jun 2012
Location: Brazil
Posts: 7
windows_7ie
Re: Permissions - Special Case

I'll study a little about ACL (Access Control List) first the I get back for more discussion. You're helping me a lot.
Thanks.
Reply With Quote
  #7  
Old 17th July 2012, 09:28 AM
stevea Online
Registered User
 
Join Date: Apr 2006
Location: Ohio, USA
Posts: 8,845
linuxfirefox
Re: Permissions - Special Case

Note that you can set default' ACLs for directories, and these are inherited by every file created in that directory.
May be of use - BUT it's at the discretion of the file or directory owner.
__________________
None are more hopelessly enslaved than those who falsely believe they are free.
Johann Wolfgang von Goethe
Reply With Quote
  #8  
Old 17th July 2012, 10:15 PM
leojau Offline
Registered User
 
Join Date: Jun 2012
Location: Brazil
Posts: 7
windows_7ie
Re: Permissions - Special Case

Wow... messing with ACL I'm being able to solve problem#1...
Time to sleep now (7am here). I'll keep posting.
Thanks stevea

---------- Post added at 06:15 PM ---------- Previous post was at 06:53 AM ----------

For my problem #1:
I solved it using ACL. I created a new user called 'manager' and added special permissions for it.
I used: 'setfacl -R -m u:manager:rwx /home'
Now my manager can mess with user's files freely, without messing without with root specific files.

My system is acessed by the Joe-users through the my middleware, that will only give them an isolated interface from what's happening in the server. They'll just access certain files and that's enough.
The manager-user is necessary to manage the files (add, delete, modify) acessed by Joe-users.

Is it clearer now?
I'll work on the sync/lock problem now.

Thanks for now
Reply With Quote
  #9  
Old 19th July 2012, 07:39 AM
leojau Offline
Registered User
 
Join Date: Jun 2012
Location: Brazil
Posts: 7
linuxfedorafirefox
Re: Permissions - Special Case

Hi,

I tried setting the default through the command below but didn't fully worked:
[root@localhost gerente]# setfacl -R -m u:gerente:rwx /home
[root@localhost gerente]# getfacl /home/
getfacl: Removing leading '/' from absolute path names
# file: home/
# owner: root
# group: root
user::rwx
user:gerente:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gerente:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

When creating new folders or files they won't give "gerente" the rwx permissions every time.
If i create a file or folder inseide /home/ it will work, but if I create a new user through system-config-users tool i'll get the result bellow:
[root@localhost gerente]# getfacl /home/qq/
getfacl: Removing leading '/' from absolute path names
# file: home/qq/
# owner: qq
# group: users
user::rwx
user:gerente:rwx #effective:---
group::r-x #effective:---
mask::---
other::---
default:user::rwx
default:user:gerente:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Any ideas about that?

---------- Post added at 03:39 AM ---------- Previous post was at 03:38 AM ----------

I found a graphical tool that can help managing with ACL.
It's called Eiciel (http://archive09.linux.com/feature/138169).
It can be found on Fedora repo.
Reply With Quote
Reply

Tags
case, permissions, special

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Strange case of disappearing permissions.. maal Using Fedora 3 22nd December 2011 07:04 AM
Special permissions for running Windows programs off a Samba share? Doward Servers & Networking 2 24th February 2009 11:01 PM
Help needed configuring special case of xorg.conf Mathijs Hardware & Laptops 1 24th July 2008 12:45 PM
FAT32 case insensitive directory names (but trying to preserve case) Wangberg Using Fedora 4 13th October 2007 11:38 PM
Special case of routing module needed! woosting Servers & Networking 8 3rd June 2005 12:39 PM


Current GMT-time: 00:10 (Monday, 22-09-2014)

TopSubscribe to XML RSS for all Threads in all ForumsFedoraForumDotOrg Archive
logo

All trademarks, and forum posts in this site are property of their respective owner(s).
FedoraForum.org is privately owned and is not directly sponsored by the Fedora Project or Red Hat, Inc.

Privacy Policy | Term of Use | Posting Guidelines | Archive | Contact Us | Founding Members

Powered by vBulletin® Copyright ©2000 - 2012, vBulletin Solutions, Inc.

FedoraForum is Powered by RedHat