[ale] Write permission

Mon May 16 17:58:13 EDT 2016

Binary names change daily or just the binaries? I don't really see this
as an issue. You'll want to have sudo call a script that you wrote (not
the devs) anyway.

On 05/16/16 17:12, Jim Kinney wrote:
> I like the sudo (used it many times) but the binaries are changing
> daily. Yes, can grant sudo as user foo to contents of folder bar and
> that may be part of the solution.
> 
> On Mon, 2016-05-16 at 17:02 -0400, DJ-Pfulio wrote:
>> sudo isn't just to get access to the root account. It works great to
>> access other accounts, if configured for that.
>>
>> I've done some fairly complex things with sudo to provide access to
>> other accounts (non-root) for thousands of end users who needed to run a
>> few different programs as different userids. We controlled which options
>> were allow too - sudo has config options for that as well. By far, this
>> would be the easiest answer.
>>
>> On 05/16/16 16:43, DJ-Pfulio wrote:
>>> Force the processes to run under a different userid that is locked
>>> down. Users would use sudo to access that other account and launch
>>> the program(s) with approved options only. Nothing else. That user
>>> account could have access to create an LV for all temporary data, if
>>> you wanted to go crazy. Just don't let their normal userids have
>>> access to the temporary areas. Are the programs developed in-house?
>>> Hard to stop the devs from making debug stuff write wherever they
>>> want. On 05/16/16 10:48, Jim Kinney wrote:
>>>> I'm trying to envision a process that will have some funky
>>>> permissions in play and would appreciate ideas. Data is sensitive
>>>> and stored in encrypted partition. Only users in the approved group
>>>> can read in that folder. They need to run that data through custom
>>>> code that may do temporary writes somewhere. That will need to be
>>>> locked down and either encrypted or overwritten after use (or both).
>>>> This is the easy part. I need to prevent that data from being
>>>> written/copied anywhere else even if they have write permission
>>>> (home dir). I run CentOS 7 systems so I have selinux. However, once
>>>> this scales off the individual research system to the cluster, I've
>>>> disabled selinux on the cluster for performance reasons. I can
>>>> activate it if the encrypted folders are mounted and limit runs to
>>>> specific nodes if always running. So I'm seeing (sort of. Not fully
>>>> thought out yet) a rule that allows data read with binaries of a
>>>> particular type that can only write to particular folders. Note that
>>>> the final output of the data run is not sensitive but intermediate
>>>> data may be. To run a process requires writing binary to specific
>>>> folder. That folder forces all contents to be special type that is
>>>> subject to selinux rule. Can't allow users to directly read the
>>>> files in order to disallow 'cat file > newfile' to disallowed
>>>> folder. Data files are (currently) video and output is ascii text so
>>>> it's possible to check file types on output before allowed to copy
>>>> to new folder. However, the input data files may be ascii for a
>>>> different groups work.
>>>> _______________________________________________ Ale mailing list
>>>> Ale at ale.org <mailto:Ale at ale.org>
>>>> http://mail.ale.org/mailman/listinfo/ale See JOBS, ANNOUNCE and
>>>> SCHOOLS lists at http://mail.ale.org/mailman/listinfo 
>>
>>
>>
> -- 
> James P. Kinney III
> 
> Every time you stop a school, you will have to build a jail. What you
> gain at one end you lose at the other. It's like feeding a dog on his
> own tail. It won't fatten the dog.
> - Speech 11/23/1900 Mark Twain
> 
> http://heretothereideas.blogspot.com/
> 
> 
> 
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
> 

-- 
Got Linux? Used on smartphones, tablets, desktop computers, media
centers, and servers by kids, Moms, Dads, grandparents and IT
professionals.