[ale] Write permission

Jim Kinney jim.kinney at gmail.com
Mon May 16 18:10:55 EDT 2016


Yeah. Both names and binaries change often.

I typically have a script that calls sudo internally they can run. The
script does the sudo su - userfoo and calls the supplied binary with
supplied params to run as userfoo. Users are blocked from just running sudo
su as they don't have root or userfoo password.
On May 16, 2016 6:01 PM, "DJ-Pfulio" <DJPfulio at jdpfu.com> wrote:

> Binary names change daily or just the binaries? I don't really see this
> as an issue. You'll want to have sudo call a script that you wrote (not
> the devs) anyway.
>
> On 05/16/16 17:12, Jim Kinney wrote:
> > I like the sudo (used it many times) but the binaries are changing
> > daily. Yes, can grant sudo as user foo to contents of folder bar and
> > that may be part of the solution.
> >
> > On Mon, 2016-05-16 at 17:02 -0400, DJ-Pfulio wrote:
> >> sudo isn't just to get access to the root account. It works great to
> >> access other accounts, if configured for that.
> >>
> >> I've done some fairly complex things with sudo to provide access to
> >> other accounts (non-root) for thousands of end users who needed to run a
> >> few different programs as different userids. We controlled which options
> >> were allow too - sudo has config options for that as well. By far, this
> >> would be the easiest answer.
> >>
> >> On 05/16/16 16:43, DJ-Pfulio wrote:
> >>> Force the processes to run under a different userid that is locked
> >>> down. Users would use sudo to access that other account and launch
> >>> the program(s) with approved options only. Nothing else. That user
> >>> account could have access to create an LV for all temporary data, if
> >>> you wanted to go crazy. Just don't let their normal userids have
> >>> access to the temporary areas. Are the programs developed in-house?
> >>> Hard to stop the devs from making debug stuff write wherever they
> >>> want. On 05/16/16 10:48, Jim Kinney wrote:
> >>>> I'm trying to envision a process that will have some funky
> >>>> permissions in play and would appreciate ideas. Data is sensitive
> >>>> and stored in encrypted partition. Only users in the approved group
> >>>> can read in that folder. They need to run that data through custom
> >>>> code that may do temporary writes somewhere. That will need to be
> >>>> locked down and either encrypted or overwritten after use (or both).
> >>>> This is the easy part. I need to prevent that data from being
> >>>> written/copied anywhere else even if they have write permission
> >>>> (home dir). I run CentOS 7 systems so I have selinux. However, once
> >>>> this scales off the individual research system to the cluster, I've
> >>>> disabled selinux on the cluster for performance reasons. I can
> >>>> activate it if the encrypted folders are mounted and limit runs to
> >>>> specific nodes if always running. So I'm seeing (sort of. Not fully
> >>>> thought out yet) a rule that allows data read with binaries of a
> >>>> particular type that can only write to particular folders. Note that
> >>>> the final output of the data run is not sensitive but intermediate
> >>>> data may be. To run a process requires writing binary to specific
> >>>> folder. That folder forces all contents to be special type that is
> >>>> subject to selinux rule. Can't allow users to directly read the
> >>>> files in order to disallow 'cat file > newfile' to disallowed
> >>>> folder. Data files are (currently) video and output is ascii text so
> >>>> it's possible to check file types on output before allowed to copy
> >>>> to new folder. However, the input data files may be ascii for a
> >>>> different groups work.
> >>>> _______________________________________________ Ale mailing list
> >>>> Ale at ale.org <mailto:Ale at ale.org>
> >>>> http://mail.ale.org/mailman/listinfo/ale See JOBS, ANNOUNCE and
> >>>> SCHOOLS lists at http://mail.ale.org/mailman/listinfo
> >>
> >>
> >>
> > --
> > James P. Kinney III
> >
> > Every time you stop a school, you will have to build a jail. What you
> > gain at one end you lose at the other. It's like feeding a dog on his
> > own tail. It won't fatten the dog.
> > - Speech 11/23/1900 Mark Twain
> >
> > http://heretothereideas.blogspot.com/
> >
> >
> >
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
> >
>
>
> --
> Got Linux? Used on smartphones, tablets, desktop computers, media
> centers, and servers by kids, Moms, Dads, grandparents and IT
> professionals.
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160516/46c607e6/attachment.html>


More information about the Ale mailing list