<p dir="ltr">Yeah. Both names and binaries change often. </p>
<p dir="ltr">I typically have a script that calls sudo internally they can run. The script does the sudo su - userfoo and calls the supplied binary with supplied params to run as userfoo. Users are blocked from just running sudo su as they don't have root or userfoo password.</p>
<div class="gmail_quote">On May 16, 2016 6:01 PM, "DJ-Pfulio" <<a href="mailto:DJPfulio@jdpfu.com">DJPfulio@jdpfu.com</a>> wrote:<br type="attribution"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Binary names change daily or just the binaries? I don't really see this<br>
as an issue. You'll want to have sudo call a script that you wrote (not<br>
the devs) anyway.<br>
<br>
On 05/16/16 17:12, Jim Kinney wrote:<br>
> I like the sudo (used it many times) but the binaries are changing<br>
> daily. Yes, can grant sudo as user foo to contents of folder bar and<br>
> that may be part of the solution.<br>
><br>
> On Mon, 2016-05-16 at 17:02 -0400, DJ-Pfulio wrote:<br>
>> sudo isn't just to get access to the root account. It works great to<br>
>> access other accounts, if configured for that.<br>
>><br>
>> I've done some fairly complex things with sudo to provide access to<br>
>> other accounts (non-root) for thousands of end users who needed to run a<br>
>> few different programs as different userids. We controlled which options<br>
>> were allow too - sudo has config options for that as well. By far, this<br>
>> would be the easiest answer.<br>
>><br>
>> On 05/16/16 16:43, DJ-Pfulio wrote:<br>
>>> Force the processes to run under a different userid that is locked<br>
>>> down. Users would use sudo to access that other account and launch<br>
>>> the program(s) with approved options only. Nothing else. That user<br>
>>> account could have access to create an LV for all temporary data, if<br>
>>> you wanted to go crazy. Just don't let their normal userids have<br>
>>> access to the temporary areas. Are the programs developed in-house?<br>
>>> Hard to stop the devs from making debug stuff write wherever they<br>
>>> want. On 05/16/16 10:48, Jim Kinney wrote:<br>
>>>> I'm trying to envision a process that will have some funky<br>
>>>> permissions in play and would appreciate ideas. Data is sensitive<br>
>>>> and stored in encrypted partition. Only users in the approved group<br>
>>>> can read in that folder. They need to run that data through custom<br>
>>>> code that may do temporary writes somewhere. That will need to be<br>
>>>> locked down and either encrypted or overwritten after use (or both).<br>
>>>> This is the easy part. I need to prevent that data from being<br>
>>>> written/copied anywhere else even if they have write permission<br>
>>>> (home dir). I run CentOS 7 systems so I have selinux. However, once<br>
>>>> this scales off the individual research system to the cluster, I've<br>
>>>> disabled selinux on the cluster for performance reasons. I can<br>
>>>> activate it if the encrypted folders are mounted and limit runs to<br>
>>>> specific nodes if always running. So I'm seeing (sort of. Not fully<br>
>>>> thought out yet) a rule that allows data read with binaries of a<br>
>>>> particular type that can only write to particular folders. Note that<br>
>>>> the final output of the data run is not sensitive but intermediate<br>
>>>> data may be. To run a process requires writing binary to specific<br>
>>>> folder. That folder forces all contents to be special type that is<br>
>>>> subject to selinux rule. Can't allow users to directly read the<br>
>>>> files in order to disallow 'cat file > newfile' to disallowed<br>
>>>> folder. Data files are (currently) video and output is ascii text so<br>
>>>> it's possible to check file types on output before allowed to copy<br>
>>>> to new folder. However, the input data files may be ascii for a<br>
>>>> different groups work.<br>
>>>> _______________________________________________ Ale mailing list<br>
>>>> <a href="mailto:Ale@ale.org">Ale@ale.org</a> <mailto:<a href="mailto:Ale@ale.org">Ale@ale.org</a>><br>
>>>> <a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a> See JOBS, ANNOUNCE and<br>
>>>> SCHOOLS lists at <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
>><br>
>><br>
>><br>
> --<br>
> James P. Kinney III<br>
><br>
> Every time you stop a school, you will have to build a jail. What you<br>
> gain at one end you lose at the other. It's like feeding a dog on his<br>
> own tail. It won't fatten the dog.<br>
> - Speech 11/23/1900 Mark Twain<br>
><br>
> <a href="http://heretothereideas.blogspot.com/" rel="noreferrer" target="_blank">http://heretothereideas.blogspot.com/</a><br>
><br>
><br>
><br>
> _______________________________________________<br>
> Ale mailing list<br>
> <a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
> <a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
> See JOBS, ANNOUNCE and SCHOOLS lists at<br>
> <a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
><br>
<br>
<br>
--<br>
Got Linux? Used on smartphones, tablets, desktop computers, media<br>
centers, and servers by kids, Moms, Dads, grandparents and IT<br>
professionals.<br>
_______________________________________________<br>
Ale mailing list<br>
<a href="mailto:Ale@ale.org">Ale@ale.org</a><br>
<a href="http://mail.ale.org/mailman/listinfo/ale" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo/ale</a><br>
See JOBS, ANNOUNCE and SCHOOLS lists at<br>
<a href="http://mail.ale.org/mailman/listinfo" rel="noreferrer" target="_blank">http://mail.ale.org/mailman/listinfo</a><br>
</blockquote></div>