Re: creating a user with only read permissions on all files



Maxwell Lol wrote:

Tim Greer <tim@xxxxxxxxxxxxx> writes:

Maxwell Lol wrote:

Rahul <nospam@xxxxxxxxxxxxxx> writes:

Goal: "Create a user that has only read access (no w and x) to
*all* non- root files overriding any permissions users might have
set"

Ah. Sorry for missing that part. So if someone sets a file to 700,
you want this special account to be able to read it.

Perhaps the best thing to do is to use sudo, so your special user
can do commands like ls and more with root permission.

Unfortunately, he wants to be able to read the file, but not be able
to modify it, etc., and most commands you could strictly set sudo
permission to use, could be used to modify the file by the hand of a
malicious user (if that user ever got access to the account

I'm not sure how "ls" would modify a file.

The OP wants to read the file, not list it, and why I replied with the
information I did.

And for "more" to modify a file, that's a good point. He's have to go
into edit mode, and I'm not sure if sudo will prevent this.

They want this via a cronjob, I don't think more would be what they
want, more likely cat, grep, head, tail, or a bunch of others, but you
need to be careful with things like cat. I'm sure the right command
and disallowing arguments to prevent redirecting output or passing
other commands could be safe, too, so yeah, there are other options
with sudo.

I suppose
one could make a "safemore" command that defines EDITOR and VISUAL to
be /bin/true or somesuch.

I am not sure if this is for someone untrusted, or a way for Rahul to
browse without harming a system.

Well, there are a few ways to go about it in a safe way, but it does
need to be carefully done. I agree that I don't think giving any user
access to read only is a great idea across the system if you can't
trust them, but it could be done in any of a few ways to help make it
safer, especially if there's going to be a nopassword cron job doing
it. For that matter, they should create an extra user with no login
possible and just run the cron with sudo for a specific command and it
would add a little extra protection.
--
Tim Greer, CEO/Founder/CTO, BurlyHost.com, Inc.
Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers
and Custom Hosting. 24/7 support, 30 day guarantee, secure servers.
Industry's most experienced staff! -- Web Hosting With Muscle!
.



Relevant Pages

  • Re: creating a user with only read permissions on all files
    ... Perhaps the best thing to do is to use sudo, ... do commands like ls and more with root permission. ... Shared Hosting, Reseller Hosting, Dedicated & Semi-Dedicated servers ...
    (comp.os.linux.misc)
  • Re: [kde-linux] KDE 4 and monitor powering off.
    ... I changed it so that it would run as root since I have to ... I have sudo configured so my normal user has very limited access (some ... commands, with specific parameters. ... The admin user has full passwordless access to do everything root could ...
    (KDE)
  • Re: But Microsoft cant help. At least Microsoft India cant.
    ... If you don't usually log an as an administrator, you might need to do so to run remove.bat, otherwise it may not have permission to delete the files. ... quotes) and press Enter. ... After you paste the above commands, please close the Notepad window. ...
    (microsoft.public.windowsupdate)
  • Re: trouble compiling Midnight Commander
    ... to get the file manager Midnight Commander running on my Mac Pro. ... first tried the Fink version, but that was essentially useless, so now ... sudo commands. ... I issued 'sudo make install' as the last of the commands listed ...
    (comp.sys.mac.apps)
  • Fwd: How to track down which commands sudoers set up?
    ... sent to list proper this time. ... How to track down which commands sudoers set up? ... I believe that sudo can be configured to limit the extent to which the ...
    (Security-Basics)