On 5/25/19 8:12 PM, mick crane wrote:
On 2019-05-26 00:49, Markos wrote:
Hi,
I made a program (reading_room.tcl), with Sqlite running on Debian 9,
to control the books of a reading room.
I implemented an authentication system for common users and
administrator users in the reading_room program.
Now I want that any user logged in the Linux be able to run the
program reading_room.tcl, which will access the database (books.db)
But I want to protect the file books.db so that only the the program
reading_room.tcl can access the books.db file. But that no user could
delete or write to the file books.db (only the program
reading_room.tcl)
Please, how can I configure the system to do that?
How to define the permissions?
I'll have a go, sure I'll get pulled up if off.
read 4, write 2, execute 1 add these together for permissions
owner, group, anybody
I never did anything on a PC with other people having access so I never
made a file only executable by anybody but I don't see why not.
As you wrote reading_room.tcl presume that belongs to you.
I don't know anything about tcl as yet but assume it's executable as it
is and does something.
You may have a group librarians that want to have read/write access to
reading_room.tcl
Assume you have backups of the files.
guess books.db wants to be 644
"su -"
"chmod 644 books.db"
or if the librarians want write access to it.
"chown you.librarians books.db"
"chmod 664 books.db"
"chown you.librarians reading_room.tcl"
"chmod 771 reading_room.tcl"
mick
I don't believe there is a solution using just read, write, and mode
bits and group membership. (Perhaps, there is a solution if you also
use access control lists?)
Suppose I have a Perl script "shared-program.pl" (sorry, I don't know
TCL) that reads a line from the terminal, lower cases the line, and then
writes the line to the terminal. If the line contains the word "write',
the line is also written to a data file "shared-program.dat":
2019-05-25 20:31:43 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
2019-05-25 20:31:49 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.pl
#!/usr/bin/env perl
use strict;
use warnings;
use FindBin qw( $Bin );
use File::Slurp;
use constant DATAFILE => "$Bin/shared-program.dat";
print "$0 >";
my $line = <>;
$line = lc $line;
write_file(DATAFILE, {append => 1}, $line)
if $line =~ /write/;
print $line;
If I run the program as the owner, it works as expected:
2019-05-25 20:34:01 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >Hi, Dave!
hi, dave!
2019-05-25 20:34:15 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >write Bye, Dave!
write bye, dave!
2019-05-25 20:35:09 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-r--r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat
2019-05-25 20:35:22 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.dat
write bye, dave!
The mode of 755 on the script allows other group members and all other
users to run the script:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Hello, Tinky Winky!
hello, tinky winky!
But, if I clear the world read bit on the script:
2019-05-25 20:35:24 dpchrist@tinkywinky ~
$ chmod o-r sandbox/perl5/shared-program.pl
2019-05-25 20:38:08 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-x--x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
Other users are not able to run the script because the Perl interpreter
cannot read the script:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
Can't open perl script "/home/dpchrist/sandbox/perl5/shared-program.pl":
Permission denied
(It might be possible for other users to run binary programs with just
the world execute bit set?)
So, the world mode needs to be read+execute for other users to run
scripts they do not own:
2019-05-25 20:59:32 dpchrist@tinkywinky ~
$ chmod o=rx sandbox/perl5/shared-program.pl
2019-05-25 21:05:53 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Blah Blah Blab
blah blah blab
Focusing on the data file, let's add the other user to the file's group:
2019-05-25 20:49:08 root@tinkywinky ~
# usermod -a -G dpchrist tinkywinky
2019-05-25 20:50:33 root@tinkywinky ~
# grep dpchrist /etc/group | grep tinkywinky
dpchrist:x:13250:tinkywinky
Log out and log in again as the other user to obtain the new group
membership.
Enable the group write bit on the data file:
2019-05-25 21:09:45 dpchrist@tinkywinky ~
$ chmod g+w sandbox/perl5/shared-program.dat
2019-05-25 21:11:50 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-rw-r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat
Now the script can write to the data file when the script is run by
other users in the same group:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >write Yada Yada
write yada yada
tinkywinky@tinkywinky:~$ cat /home/dpchrist/sandbox/perl5/shared-program.dat
write bye, dave!
write yada yada
But, those other user can also trash the data file directly:
tinkywinky@tinkywinky:~$ echo "Muahahahahaha" >
/home/dpchrist/sandbox/perl5/shared-program.dat
tinkywinky@tinkywinky:~$ cat /home/dpchrist/sandbox/perl5/shared-program.dat
Muahahahahaha
This is situation the OP wants to avoid.
David