Can I run a command with specific privileges on certain directories?












3














I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.



Eg:



root> /bin/bash -protect /folder/to/protect mycommand.sh


In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.



Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!










share|improve this question
























  • Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
    – user unknown
    Jul 13 '11 at 17:52






  • 1




    By the way, they're called directories in the unix world.
    – Gilles
    Jul 13 '11 at 22:27
















3














I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.



Eg:



root> /bin/bash -protect /folder/to/protect mycommand.sh


In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.



Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!










share|improve this question
























  • Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
    – user unknown
    Jul 13 '11 at 17:52






  • 1




    By the way, they're called directories in the unix world.
    – Gilles
    Jul 13 '11 at 22:27














3












3








3







I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.



Eg:



root> /bin/bash -protect /folder/to/protect mycommand.sh


In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.



Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!










share|improve this question















I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.



Eg:



root> /bin/bash -protect /folder/to/protect mycommand.sh


In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.



Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!







bash permissions files






share|improve this question















share|improve this question













share|improve this question




share|improve this question








edited Dec 16 at 4:26









Rui F Ribeiro

38.9k1479129




38.9k1479129










asked Jul 13 '11 at 15:09









Rich

1,58492230




1,58492230












  • Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
    – user unknown
    Jul 13 '11 at 17:52






  • 1




    By the way, they're called directories in the unix world.
    – Gilles
    Jul 13 '11 at 22:27


















  • Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
    – user unknown
    Jul 13 '11 at 17:52






  • 1




    By the way, they're called directories in the unix world.
    – Gilles
    Jul 13 '11 at 22:27
















Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
– user unknown
Jul 13 '11 at 17:52




Are we talking about subfolders too? What abouch chmod u-w folder, what about a backup, which you restore later?
– user unknown
Jul 13 '11 at 17:52




1




1




By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27




By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27










2 Answers
2






active

oldest

votes


















1














Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.



You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect read-only, but it can create a read-only view of that directory /read/only/view; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.



bindfs --perms=a-w /folder/to/protect /read/only/view





share|improve this answer





















  • Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
    – Rich
    Jul 18 '11 at 8:15










  • @Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
    – Gilles
    Jul 18 '11 at 9:09



















0














You could write a shared library which implemented a wrapper around open which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD to load your shared library when invoking the program and override the system's open.



You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.






share|improve this answer





















  • This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
    – Gilles
    Jul 14 '11 at 15:00











Your Answer








StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});














draft saved

draft discarded


















StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f16600%2fcan-i-run-a-command-with-specific-privileges-on-certain-directories%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown

























2 Answers
2






active

oldest

votes








2 Answers
2






active

oldest

votes









active

oldest

votes






active

oldest

votes









1














Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.



You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect read-only, but it can create a read-only view of that directory /read/only/view; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.



bindfs --perms=a-w /folder/to/protect /read/only/view





share|improve this answer





















  • Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
    – Rich
    Jul 18 '11 at 8:15










  • @Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
    – Gilles
    Jul 18 '11 at 9:09
















1














Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.



You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect read-only, but it can create a read-only view of that directory /read/only/view; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.



bindfs --perms=a-w /folder/to/protect /read/only/view





share|improve this answer





















  • Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
    – Rich
    Jul 18 '11 at 8:15










  • @Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
    – Gilles
    Jul 18 '11 at 9:09














1












1








1






Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.



You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect read-only, but it can create a read-only view of that directory /read/only/view; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.



bindfs --perms=a-w /folder/to/protect /read/only/view





share|improve this answer












Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.



You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect read-only, but it can create a read-only view of that directory /read/only/view; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.



bindfs --perms=a-w /folder/to/protect /read/only/view






share|improve this answer












share|improve this answer



share|improve this answer










answered Jul 13 '11 at 22:25









Gilles

528k12810561583




528k12810561583












  • Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
    – Rich
    Jul 18 '11 at 8:15










  • @Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
    – Gilles
    Jul 18 '11 at 9:09


















  • Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
    – Rich
    Jul 18 '11 at 8:15










  • @Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
    – Gilles
    Jul 18 '11 at 9:09
















Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15




Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15












@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09




@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09













0














You could write a shared library which implemented a wrapper around open which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD to load your shared library when invoking the program and override the system's open.



You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.






share|improve this answer





















  • This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
    – Gilles
    Jul 14 '11 at 15:00
















0














You could write a shared library which implemented a wrapper around open which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD to load your shared library when invoking the program and override the system's open.



You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.






share|improve this answer





















  • This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
    – Gilles
    Jul 14 '11 at 15:00














0












0








0






You could write a shared library which implemented a wrapper around open which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD to load your shared library when invoking the program and override the system's open.



You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.






share|improve this answer












You could write a shared library which implemented a wrapper around open which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD to load your shared library when invoking the program and override the system's open.



You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.







share|improve this answer












share|improve this answer



share|improve this answer










answered Jul 14 '11 at 13:52









jmtd

6,69312025




6,69312025












  • This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
    – Gilles
    Jul 14 '11 at 15:00


















  • This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
    – Gilles
    Jul 14 '11 at 15:00
















This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00




This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of open? what if it calls the syscall directly?), and you're thorough enough (what if the program unlinks some files, or renames them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00


















draft saved

draft discarded




















































Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.





Some of your past answers have not been well-received, and you're in danger of being blocked from answering.


Please pay close attention to the following guidance:


  • Please be sure to answer the question. Provide details and share your research!

But avoid



  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.


To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f16600%2fcan-i-run-a-command-with-specific-privileges-on-certain-directories%23new-answer', 'question_page');
}
);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

Morgemoulin

Scott Moir

Souastre