[ale] Write permission
Jim Kinney
jim.kinney at gmail.com
Mon May 16 11:56:24 EDT 2016
I'm digging into that as well. But its not granular enough. Unless I
create a new group that owns the binaries and data and that is the
limiting group.
Hmm.
On Mon, 2016-05-16 at 11:11 -0400, Jerald Sheets wrote:
> Extended File Access?
>
> getfacl
> setfacl
>
>
> all that?
>
> GAWD I need a refresher before updating my RHCE….
>
>
> —j
>
> > On May 16, 2016, at 10:48 AM, Jim Kinney <jim.kinney at gmail.com>
> > wrote:
> >
> > I'm trying to envision a process that will have some funky
> > permissions in play and would appreciate ideas.
> > Data is sensitive and stored in encrypted partition. Only users in
> > the approved group can read in that folder.
> > They need to run that data through custom code that may do
> > temporary writes somewhere. That will need to be locked down and
> > either encrypted or overwritten after use (or both). This is the
> > easy part.
> > I need to prevent that data from being written/copied anywhere else
> > even if they have write permission (home dir).
> > I run CentOS 7 systems so I have selinux. However, once this scales
> > off the individual research system to the cluster, I've disabled
> > selinux on the cluster for performance reasons. I can activate it
> > if the encrypted folders are mounted and limit runs to specific
> > nodes if always running.
> > So I'm seeing (sort of. Not fully thought out yet) a rule that
> > allows data read with binaries of a particular type that can only
> > write to particular folders. Note that the final output of the data
> > run is not sensitive but intermediate data may be. To run a process
> > requires writing binary to specific folder. That folder forces all
> > contents to be special type that is subject to selinux rule.
> > Can't allow users to directly read the files in order to disallow
> > 'cat file > newfile' to disallowed folder.
> > Data files are (currently) video and output is ascii text so it's
> > possible to check file types on output before allowed to copy to
> > new folder.
> > However, the input data files may be ascii for a different groups
> > work.
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160516/aff30744/attachment.html>
More information about the Ale
mailing list