[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Write permission
- Subject: [ale] Write permission
- From: jim.kinney at gmail.com (Jim Kinney)
- Date: Mon, 16 May 2016 11:56:24 -0400
- In-reply-to: <[email protected]>
- References: <CAEo=5PyZu4UCtzO+VZ2-DLuMEtcDwNt49rN9-iuJ3n6jmgj67w@mail.gmail.com> <CAEo=5PxCtv5d6JBOUVMMZ-VXp6tjtBEA3LfcfYUeA_pALxsUJw@mail.gmail.com> <CAEo=5PzTgqoo+8RTvJqUkN8eGxgQg1wys53XkK48LROzuYfhLg@mail.gmail.com> <CAEo=5PwNhQ=HBYa+jVJ7d53Wavd3BTua1pMsuEyrn1hXdn2N-w@mail.gmail.com> <CAEo=5Pz_0x-NGgOC7e-h3jvMB2_MijWry82UOjAcRe=w7XpC7Q@mail.gmail.com> <CAEo=5PyMd3EVo+_Ek+tyJYZ7NzqA==RFfGZfSsmmUXxWts0m7A@mail.gmail.com> <CAEo=5Pxse9_dc6HqiYLhPPGPDiU0ywCU-w28_Awbi3HxacJQqw@mail.gmail.com> <CAEo=5Pz2G0TtxkBH1n2qSNF4uVrcotoJwV5CivyDncUsMHizJA@mail.gmail.com> <CAEo=5PwXk0gqbLMmyD3VsMCU58Ckp3ywrXtpNFNJh14oMPO=Gw@mail.gmail.com> <CAEo=5Pzb3fXJLU+apr0dBwvoi8R-N+t6-kOmk7gSi-OwSC-jwQ@mail.gmail.com> <CAEo=5Pz+5PnpuhhZHbAcJWd-0Bq5SGmatwhjKcVhXFogYp1OoA@mail.gmail.com> <CAEo=5Pykk3PU9cWkgxPsmTqXs2G=BJ5umUduDSFvXfLKa1+Upw@mail.gmail.com> <CAEo=5PxaLgZH8fu9-xhUTLLMh3k2mwUMZjhaqDULhgkQwR33pg@mail.gmail.com> <CAEo=5PyvTiR2tXkWGXucsVzB1VzcF8YAwcLPOL+xTHJNNGC3Ww@mail.gmail.com> <CAEo=5PyfUF6BFX_R8Jg-N1sw0R+cr3Xz+jMszV7QVkPNDJ6WOQ@mail.gmail.com> <CAEo=5PxM+_OghR_91-iqsGM3veXCG23xXifSYsHywznwZVptdA@mail.gmail.com> <CAEo=5PyfUcg7shAjhhn6s-f+rgyd318+Yq4yi1evOdmJqHeH4Q@mail.gmail.com> <CAEo=5Pz6hE=8HHzUM3q=bakhMkDSwhZtXO67ZZkiWWYUEg9sKA@mail.gmail.com> <CAEo=5Pw2JfgWAQC9EmN9qrQBBcn_5BdiCQ95fJEjLmKjVL18ww@mail.gmail.com> <CAEo=5PyTQ0BiMSrGMGE5CJNTBRVEhXYJKmp1CWKz9May48AiHQ@mail.gmail.com> <CAEo=5PygpKWi++euyS-FfonnRRmXqo2eKfQUegP0h8dpGh0GYQ@mail.gmail.com> <CAEo=5Pxg-ZLbqLOfiTsK=72QbNX9aj3kA=0onh3qu9=kJGourg@mail.gmail.com> <CAEo=5Pyv6PwpvEqgG8uQ59MLcf=LTV-z3=HzbUVK5WyfSBg=FA@mail.gmail.com> <CAEo=5PyEkZ546xqbKrT0wi2Qm6uy+yab5XbKhQRn=_VNmxLhww@mail.gmail.com> <CAEo=5PyrcPc6HVgJo8kZ1=6iq-4-NZ6gCTXH=N1PLx_5kgrDAA@mail.gmail.com> <CAEo=5PysoPnLiy4LzHyogEwtEby53UR9O7bvMBFYoz+kLgpSSg@mail.gmail.com> <CAEo=5PyghTpdu8ZMiXYRMH-nhpwvTSn+YED7rNRgvm9BCTgzPw@mail.gmail.com> <CAEo=5Px+O=_Gguzbhg8x6nfpEvVkHFUSCTu2TWZUhZaMZ9cYiA@mail.gmail.com> <CAEo=5PxAv_zF5=0+UU9G32yWQkb2OBtm-T1M2S9Do4otY9YWog@mail.gmail.com> <CAEo=5PwLZ2gFwrVw-Ho65CFJ1zC4WGyB+5fRfsuyPqZSc3UAKQ@mail.gmail.com> <[email protected]>
I'm digging into that as well. But its not granular enough. Unless I
create a new group that owns the binaries and data and that is the
limiting group.
Hmm.
On Mon, 2016-05-16 at 11:11 -0400, Jerald Sheets wrote:
> Extended File Access?
>
> getfacl
> setfacl
>
>
> all that?
>
> GAWD I need a refresher before updating my RHCE?.
>
>
> ?j
>
> > On May 16, 2016, at 10:48 AM, Jim Kinney <jim.kinney at gmail.com>
> > wrote:
> >
> > I'm trying to envision a process that will have some funky
> > permissions in play and would appreciate ideas.
> > Data is sensitive and stored in encrypted partition. Only users in
> > the approved group can read in that folder.
> > They need to run that data through custom code that may do
> > temporary writes somewhere. That will need to be locked down and
> > either encrypted or overwritten after use (or both). This is the
> > easy part.
> > I need to prevent that data from being written/copied anywhere else
> > even if they have write permission (home dir).
> > I run CentOS 7 systems so I have selinux. However, once this scales
> > off the individual research system to the cluster, I've disabled
> > selinux on the cluster for performance reasons. I can activate it
> > if the encrypted folders are mounted and limit runs to specific
> > nodes if always running.
> > So I'm seeing (sort of. Not fully thought out yet) a rule that
> > allows data read with binaries of a particular type that can only
> > write to particular folders. Note that the final output of the data
> > run is not sensitive but intermediate data may be. To run a process
> > requires writing binary to specific folder. That folder forces all
> > contents to be special type that is subject to selinux rule.
> > Can't allow users to directly read the files in order to disallow
> > 'cat file > newfile' to disallowed folder.
> > Data files are (currently) video and output is ascii text so it's
> > possible to check file types on output before allowed to copy to
> > new folder.
> > However, the input data files may be ascii for a different groups
> > work.
> > _______________________________________________
> > Ale mailing list
> > Ale at ale.org
> > http://mail.ale.org/mailman/listinfo/ale
> > See JOBS, ANNOUNCE and SCHOOLS lists at
> > http://mail.ale.org/mailman/listinfo
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you
gain at one end you lose at the other. It's like feeding a dog on his
own tail. It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
http://heretothereideas.blogspot.com/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20160516/aff30744/attachment.html>