Can I run a command with specific privileges on certain directories?
I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.
Eg:
root> /bin/bash -protect /folder/to/protect mycommand.sh
In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.
Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!
bash permissions files
add a comment |
I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.
Eg:
root> /bin/bash -protect /folder/to/protect mycommand.sh
In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.
Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!
bash permissions files
Are we talking about subfolders too? What abouchchmod u-w folder
, what about a backup, which you restore later?
– user unknown
Jul 13 '11 at 17:52
1
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27
add a comment |
I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.
Eg:
root> /bin/bash -protect /folder/to/protect mycommand.sh
In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.
Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!
bash permissions files
I would like to be able to run a command, passing in parameters to bash or similar, such that this command is not allowed to write to a particular path, overriding the user's other privs.
Eg:
root> /bin/bash -protect /folder/to/protect mycommand.sh
In this example, the root user can obviously do what it wants, but while I test a new script I'm writing, I would like to protect a folder, as if the folder was read only for that user.
Is there a way to do this without adding a new user and adjusting that user's privs accordingly? It doesn't have to be in bash by the way, I don't mind the approach - as long as I can protect folders without adding a new user I don't mind!
bash permissions files
bash permissions files
edited Dec 16 at 4:26
Rui F Ribeiro
38.9k1479129
38.9k1479129
asked Jul 13 '11 at 15:09
Rich
1,58492230
1,58492230
Are we talking about subfolders too? What abouchchmod u-w folder
, what about a backup, which you restore later?
– user unknown
Jul 13 '11 at 17:52
1
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27
add a comment |
Are we talking about subfolders too? What abouchchmod u-w folder
, what about a backup, which you restore later?
– user unknown
Jul 13 '11 at 17:52
1
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27
Are we talking about subfolders too? What abouch
chmod u-w folder
, what about a backup, which you restore later?– user unknown
Jul 13 '11 at 17:52
Are we talking about subfolders too? What abouch
chmod u-w folder
, what about a backup, which you restore later?– user unknown
Jul 13 '11 at 17:52
1
1
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27
add a comment |
2 Answers
2
active
oldest
votes
Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.
You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect
read-only, but it can create a read-only view of that directory /read/only/view
; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.
bindfs --perms=a-w /folder/to/protect /read/only/view
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
add a comment |
You could write a shared library which implemented a wrapper around open
which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD
to load your shared library when invoking the program and override the system's open
.
You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy ofopen
? what if it calls the syscall directly?), and you're thorough enough (what if the programunlink
s some files, orrename
s them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f16600%2fcan-i-run-a-command-with-specific-privileges-on-certain-directories%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.
You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect
read-only, but it can create a read-only view of that directory /read/only/view
; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.
bindfs --perms=a-w /folder/to/protect /read/only/view
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
add a comment |
Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.
You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect
read-only, but it can create a read-only view of that directory /read/only/view
; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.
bindfs --perms=a-w /folder/to/protect /read/only/view
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
add a comment |
Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.
You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect
read-only, but it can create a read-only view of that directory /read/only/view
; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.
bindfs --perms=a-w /folder/to/protect /read/only/view
Unix's security is built on permissions for users and groups. If you want to make a directory read-only for a command, you need to run it as a user who isn't allowed to write to that directory. Or there's a heavier-handed approach, which is to run the command in a virtual machine.
You may find bindfs useful. Bindfs is a stacked filesystem, that is, it creates an alternate view of a part of the directory tree. In particular, you can create a read-only view, or a view with different permissions. Bindfs can't make /folder/to/protect
read-only, but it can create a read-only view of that directory /read/only/view
; you need to find some other means (such as permissions) of preventing the command from writing in `/folder/to/protect.
bindfs --perms=a-w /folder/to/protect /read/only/view
answered Jul 13 '11 at 22:25
Gilles
528k12810561583
528k12810561583
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
add a comment |
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
Shouldn't your last sentence read "you need to find some other means (such as permissions) of preventing the command from writing in `/read/only/view"?
– Rich
Jul 18 '11 at 8:15
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
@Rich No, I don't think so, why should it? The read-only view is read-only to everyone. It's the folder to protect that you still need to protect, independently of the read-only view.
– Gilles
Jul 18 '11 at 9:09
add a comment |
You could write a shared library which implemented a wrapper around open
which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD
to load your shared library when invoking the program and override the system's open
.
You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy ofopen
? what if it calls the syscall directly?), and you're thorough enough (what if the programunlink
s some files, orrename
s them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00
add a comment |
You could write a shared library which implemented a wrapper around open
which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD
to load your shared library when invoking the program and override the system's open
.
You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy ofopen
? what if it calls the syscall directly?), and you're thorough enough (what if the programunlink
s some files, orrename
s them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00
add a comment |
You could write a shared library which implemented a wrapper around open
which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD
to load your shared library when invoking the program and override the system's open
.
You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.
You could write a shared library which implemented a wrapper around open
which performed the additional security check(s) you want. The program you write can then use can then use LD_PRELOAD
to load your shared library when invoking the program and override the system's open
.
You may need to override other system calls to ensure there is not an alternative way for the program to achieve what it's trying to do.
answered Jul 14 '11 at 13:52
jmtd
6,69312025
6,69312025
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy ofopen
? what if it calls the syscall directly?), and you're thorough enough (what if the programunlink
s some files, orrename
s them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00
add a comment |
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy ofopen
? what if it calls the syscall directly?), and you're thorough enough (what if the programunlink
s some files, orrename
s them to a different directory, and so on).
– Gilles
Jul 14 '11 at 15:00
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of
open
? what if it calls the syscall directly?), and you're thorough enough (what if the program unlink
s some files, or rename
s them to a different directory, and so on).– Gilles
Jul 14 '11 at 15:00
This only works if the program is cooperative (what if it removes your wrapper? what if it has statically linked a copy of
open
? what if it calls the syscall directly?), and you're thorough enough (what if the program unlink
s some files, or rename
s them to a different directory, and so on).– Gilles
Jul 14 '11 at 15:00
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f16600%2fcan-i-run-a-command-with-specific-privileges-on-certain-directories%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Are we talking about subfolders too? What abouch
chmod u-w folder
, what about a backup, which you restore later?– user unknown
Jul 13 '11 at 17:52
1
By the way, they're called directories in the unix world.
– Gilles
Jul 13 '11 at 22:27