[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ale] Write permission
- Subject: [ale] Write permission
- From: ted-lists at xy0.org (Ted W.)
- Date: Mon, 16 May 2016 18:33:12 -0400
- In-reply-to: <CAEo=5PwLZ2gFwrVw-Ho65CFJ1zC4WGyB+5fRfsuyPqZSc3UAKQ@mail.gmail.com>
- References: <CAEo=5PyZu4UCtzO+VZ2-DLuMEtcDwNt49rN9-iuJ3n6jmgj67w@mail.gmail.com> <CAEo=5Pz6hE=8HHzUM3q=bakhMkDSwhZtXO67ZZkiWWYUEg9sKA@mail.gmail.com> <CAEo=5Pw2JfgWAQC9EmN9qrQBBcn_5BdiCQ95fJEjLmKjVL18ww@mail.gmail.com> <CAEo=5PyTQ0BiMSrGMGE5CJNTBRVEhXYJKmp1CWKz9May48AiHQ@mail.gmail.com> <CAEo=5PygpKWi++euyS-FfonnRRmXqo2eKfQUegP0h8dpGh0GYQ@mail.gmail.com> <CAEo=5Pxg-ZLbqLOfiTsK=72QbNX9aj3kA=0onh3qu9=kJGourg@mail.gmail.com> <CAEo=5Pyv6PwpvEqgG8uQ59MLcf=LTV-z3=HzbUVK5WyfSBg=FA@mail.gmail.com> <CAEo=5PyEkZ546xqbKrT0wi2Qm6uy+yab5XbKhQRn=_VNmxLhww@mail.gmail.com> <CAEo=5PyrcPc6HVgJo8kZ1=6iq-4-NZ6gCTXH=N1PLx_5kgrDAA@mail.gmail.com> <CAEo=5PysoPnLiy4LzHyogEwtEby53UR9O7bvMBFYoz+kLgpSSg@mail.gmail.com> <CAEo=5PyghTpdu8ZMiXYRMH-nhpwvTSn+YED7rNRgvm9BCTgzPw@mail.gmail.com> <CAEo=5Px+O=_Gguzbhg8x6nfpEvVkHFUSCTu2TWZUhZaMZ9cYiA@mail.gmail.com> <CAEo=5PxAv_zF5=0+UU9G32yWQkb2OBtm-T1M2S9Do4otY9YWog@mail.gmail.com> <CAEo=5PwLZ2gFwrVw-Ho65CFJ1zC4WGyB+5fRfsuyPqZSc3UAKQ@mail.gmail.com>
The first thing that came to mind here was an SELinux policy that
assigns all files in your executable directory (/foo) to a custom role
and that role only has write access to locations of a specific type.
But... then you said you disable it so if there's really a valid reason
for that then so be it.
Only other things I can think of are along the lines of what others have
already suggested. Chown all of the files in /foo to a user and then
either use setuid or sudo to restrict where those files can write to.
On 05/16/2016 10:48 AM, Jim Kinney wrote:
> I'm trying to envision a process that will have some funky permissions
> in play and would appreciate ideas.
>
> Data is sensitive and stored in encrypted partition. Only users in the
> approved group can read in that folder.
>
> They need to run that data through custom code that may do temporary
> writes somewhere. That will need to be locked down and either encrypted
> or overwritten after use (or both). This is the easy part.
>
> I need to prevent that data from being written/copied anywhere else even
> if they have write permission (home dir).
>
> I run CentOS 7 systems so I have selinux. However, once this scales off
> the individual research system to the cluster, I've disabled selinux on
> the cluster for performance reasons. I can activate it if the encrypted
> folders are mounted and limit runs to specific nodes if always running.
>
> So I'm seeing (sort of. Not fully thought out yet) a rule that allows
> data read with binaries of a particular type that can only write to
> particular folders. Note that the final output of the data run is not
> sensitive but intermediate data may be. To run a process requires
> writing binary to specific folder. That folder forces all contents to be
> special type that is subject to selinux rule.
>
> Can't allow users to directly read the files in order to disallow 'cat
> file > newfile' to disallowed folder.
>
> Data files are (currently) video and output is ascii text so it's
> possible to check file types on output before allowed to copy to new folder.
>
> However, the input data files may be ascii for a different groups work.
>
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo
>