[ale] Write permission

Ted W. ted-lists at xy0.org
Mon May 16 18:33:12 EDT 2016


The first thing that came to mind here was an SELinux policy that 
assigns all files in your executable directory (/foo) to a custom role 
and that role only has write access to locations of a specific type. 
But... then you said you disable it so if there's really a valid reason 
for that then so be it.

Only other things I can think of are along the lines of what others have 
already suggested. Chown all of the files in /foo to a user and then 
either use setuid or sudo to restrict where those files can write to.

On 05/16/2016 10:48 AM, Jim Kinney wrote:
> I'm trying to envision a process that will have some funky permissions
> in play and would appreciate ideas.
>
> Data is sensitive and stored in encrypted partition. Only users in the
> approved group can read in that folder.
>
> They need to run that data through custom code that may do temporary
> writes somewhere. That will need to be locked down and either encrypted
> or overwritten after use (or both). This is the easy part.
>
> I need to prevent that data from being written/copied anywhere else even
> if they have write permission (home dir).
>
> I run CentOS 7 systems so I have selinux. However, once this scales off
> the individual research system to the cluster, I've disabled selinux on
> the cluster for performance reasons. I can activate it if the encrypted
> folders are mounted and limit runs to specific nodes if always running.
>
> So I'm seeing (sort of. Not fully thought out yet) a rule that allows
> data read with binaries of a particular type that can only write to
> particular folders. Note that the final output of the data run is not
> sensitive but intermediate data may be. To run a process requires
> writing binary to specific folder. That folder forces all contents to be
> special type that is subject to selinux rule.
>
> Can't allow users to directly read the files in order to disallow 'cat
> file > newfile' to disallowed folder.
>
> Data files are (currently) video and output is ascii text so it's
> possible to check file types on output before allowed to copy to new folder.
>
> However, the input data files may be ascii for a different groups work.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>


More information about the Ale mailing list