Many thanks to Mick, David and Joe,
To guarantee "some" protection to the file containing the database I
decided to use the following strategy:
I created, as root, the directory /home/reading_room
And activated the "sticky bit" of the reading_room directory with the
command:
chmod +t /home/reading_room/
And transferred, the files to the new directory with the following
access permissions:
reading_room.tcl rwxr--r-x (owner markos)
reading_room.db rw-r--rw- (owner markos)
This way other users can run the reading_room.tcl program but can't but
not edit.
And can't delete the files (.tcl or .db)
Trying to protect against Murphy, but not Machiavelli.
Thank you,
Markos
Em 26-05-2019 02:06, mick crane escreveu:
On 2019-05-26 05:32, David Christensen wrote:
On 5/25/19 8:12 PM, mick crane wrote:
On 2019-05-26 00:49, Markos wrote:
Hi,
I made a program (reading_room.tcl), with Sqlite running on Debian 9,
to control the books of a reading room.
I implemented an authentication system for common users and
administrator users in the reading_room program.
Now I want that any user logged in the Linux be able to run the
program reading_room.tcl, which will access the database (books.db)
But I want to protect the file books.db so that only the the program
reading_room.tcl can access the books.db file. But that no user could
delete or write to the file books.db (only the program
reading_room.tcl)
Please, how can I configure the system to do that?
How to define the permissions?
I'll have a go, sure I'll get pulled up if off.
read 4, write 2, execute 1?? add these together for permissions
owner, group, anybody
I never did anything on a PC with other people having access so I
never made a file only executable by anybody but I don't see why not.
As you wrote reading_room.tcl presume that belongs to you.
I don't know anything about tcl as yet but assume it's executable as
it is and does something.
You may have a group librarians that want to have read/write access
to reading_room.tcl
Assume you have backups of the files.
guess books.db wants to be 644
"su -"
"chmod 644 books.db"
??or if the librarians want write access to it.
"chown you.librarians books.db"
"chmod 664 books.db"
"chown you.librarians reading_room.tcl"
"chmod 771 reading_room.tcl"
mick
I don't believe there is a solution using just read, write, and mode
bits and group membership. (Perhaps, there is a solution if you also
use access control lists?)
Suppose I have a Perl script "shared-program.pl" (sorry, I don't know
TCL) that reads a line from the terminal, lower cases the line, and
then writes the line to the terminal. If the line contains the word
"write', the line is also written to a data file "shared-program.dat":
2019-05-25 20:31:43 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
2019-05-25 20:31:49 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.pl
#!/usr/bin/env perl
use strict;
use warnings;
use FindBin qw( $Bin );
use File::Slurp;
use constant DATAFILE => "$Bin/shared-program.dat";
print "$0 >";
my $line = <>;
$line = lc $line;
write_file(DATAFILE, {append => 1}, $line)
if $line =~ /write/;
print $line;
If I run the program as the owner, it works as expected:
2019-05-25 20:34:01 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >Hi, Dave!
hi, dave!
2019-05-25 20:34:15 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >write Bye, Dave!
write bye, dave!
2019-05-25 20:35:09 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-r--r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat
2019-05-25 20:35:22 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.dat
write bye, dave!
The mode of 755 on the script allows other group members and all other
users to run the script:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Hello, Tinky Winky!
hello, tinky winky!
But, if I clear the world read bit on the script:
2019-05-25 20:35:24 dpchrist@tinkywinky ~
$ chmod o-r sandbox/perl5/shared-program.pl
2019-05-25 20:38:08 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-x--x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
Other users are not able to run the script because the Perl
interpreter cannot read the script:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
Can't open perl script
"/home/dpchrist/sandbox/perl5/shared-program.pl": Permission denied
(It might be possible for other users to run binary programs with just
the world execute bit set?)
So, the world mode needs to be read+execute for other users to run
scripts they do not own:
2019-05-25 20:59:32 dpchrist@tinkywinky ~
$ chmod o=rx sandbox/perl5/shared-program.pl
2019-05-25 21:05:53 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Blah Blah Blab
blah blah blab
Focusing on the data file, let's add the other user to the file's group:
2019-05-25 20:49:08 root@tinkywinky ~
# usermod -a -G dpchrist tinkywinky
2019-05-25 20:50:33 root@tinkywinky ~
# grep dpchrist /etc/group | grep tinkywinky
dpchrist:x:13250:tinkywinky
Log out and log in again as the other user to obtain the new group
membership.
Enable the group write bit on the data file:
2019-05-25 21:09:45 dpchrist@tinkywinky ~
$ chmod g+w sandbox/perl5/shared-program.dat
2019-05-25 21:11:50 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-rw-r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat
Now the script can write to the data file when the script is run by
other users in the same group:
tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >write Yada Yada
write yada yada
tinkywinky@tinkywinky:~$ cat
/home/dpchrist/sandbox/perl5/shared-program.dat
write bye, dave!
write yada yada
But, those other user can also trash the data file directly:
tinkywinky@tinkywinky:~$ echo "Muahahahahaha" >
/home/dpchrist/sandbox/perl5/shared-program.dat
tinkywinky@tinkywinky:~$ cat
/home/dpchrist/sandbox/perl5/shared-program.dat
Muahahahahaha
This is situation the OP wants to avoid.
David
well that would be people in the supposedly trustworthy librarians group.
I did wonder if executable file would have to world readable as well
as executable but possibly there might be passwords in it, however
that works.
mick@slinky:~$ ls -la test1
---x--x--x 1 mick mick 25 May 26 05:56 test1
mick@slinky:~$ ./test1
/bin/bash: ./test1: Permission denied
seems tcl files can be made self contained executable so that might
get over it being readable.
mick
