Re: creating a user with only read permissions on all files



Maxwell Lol wrote:

Tim Greer <tim@xxxxxxxxxxxxx> writes:

Maxwell Lol wrote:

Rahul <nospam@xxxxxxxxxxxxxx> writes:

Goal: "Create a user that has only read access (no w and x) to
*all* non- root files overriding any permissions users might have
set"

Ah. Sorry for missing that part. So if someone sets a file to 700,
you want this special account to be able to read it.

Perhaps the best thing to do is to use sudo, so your special user
can do commands like ls and more with root permission.

Unfortunately, he wants to be able to read the file, but not be able
to modify it, etc., and most commands you could strictly set sudo
permission to use, could be used to modify the file by the hand of a
malicious user (if that user ever got access to the account

I'm not sure how "ls" would modify a file.

The OP wants to read the file, not list it, and why I replied with the
information I did.

And for "more" to modify a file, that's a good point. He's have to go
into edit mode, and I'm not sure if sudo will prevent this.

They want this via a cronjob, I don't think more would be what they
want, more likely cat, grep, head, tail, or a bunch of others, but you
need to be careful with things like cat. I'm sure the right command
and disallowing arguments to prevent redirecting output or passing
other commands could be safe, too, so yeah, there are other options
with sudo.

I suppose
one could make a "safemore" command that defines EDITOR and VISUAL to
be /bin/true or somesuch.

I am not sure if this is for someone untrusted, or a way for Rahul to
browse without harming a system.

Well, there are a few ways to go about it in a safe way, but it does
need to be carefully done. I agree that I don't think giving any user
access to read only is a great idea across the system if you can't
trust them, but it could be done in any of a few ways to help make it
safer, especially if there's going to be a nopassword cron job doing
it. For that matter, they should create an extra user with no login
possible and just run the cron with sudo for a specific command and it
would add a little extra protection.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.