?
Solved

File permissions

Posted on 2003-02-27
17
Medium Priority
?
626 Views
Last Modified: 2008-02-01
I want a user to be able to write a file to a directory on my linux server. When they write a file they must not be able to delete or change that file in any way - i.e. their permissions must be changed to read.

How can I do this?
0
Comment
Question by:ijg0
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
17 Comments
 
LVL 8

Accepted Solution

by:
heskyttberg earned 152 total points
ID: 8032977
Hi!

But if you are talking about FTP it's a diffrent story, this might be configured in the FTP servers conf file.

I'd recomend you checkout PROFtpd.

I don't think this can be done if the users login to a regular shell.

Regards
/Hans - Erik Skyttberg
0
 
LVL 1

Expert Comment

by:donnyr10
ID: 8033311
You may want to take a look at umask command

http://unixhelp.ed.ac.uk/CGI/man-cgi?umask+2

However your question may be aliitle more Involved
a script to convert the files in that folder
to r amy be required..

If it's FTP you need, there is more work
wu-ftp (Washington University) FTP is standard
on most Linux Systems

Execute rpn -qf /usr/sbin/in.ftp to see your package

In /etc/xinetd.d/wu-ftpd
disable=yes

Run vi change it to =no
Save the file >> restart the Server
/etc/rc.d/xinitd.d/xinetd restart

There is more to this so
If you need more Info please ask..

Take Care
./Donny
0
 

Author Comment

by:ijg0
ID: 8033368
Sorry - i don't think I put enough description in my question. The files are copied to the server will be copied using ssh (putty) via an automated process. I want to prevent the user from deleting these files after they have been copied.

If I run a cron job then there will be the possibility of the user deleting the files between the files being copied and the cron-job running. This should not be a problem if the cron-job runs every 10minutes or so.

What should the cron job do?

Thanks

ijg0
0
Secure Your WordPress Site: 5 Essential Approaches

WordPress is the web's most popular CMS, but its dominance also makes it a target for attackers. Our eBook will show you how to:

Prevent costly exploits of core and plugin vulnerabilities
Repel automated attacks
Lock down your dashboard, secure your code, and protect your users

 

Author Comment

by:ijg0
ID: 8033384
If i run use the umask command the user can just change the permissions back as they will be the owner of the newly created file?
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8033449
Hi!

I'd say it can't be done, but that sin't quite true.
What I can say it's not easily done.

If they use ssh to login, they have a true shell and will always become owner of that file.

This means you don't really want to change the file permissions, what you want is change owner.

This isn't easily accomplished, you would nees a daemon running that will check the dir for new files every 20 seconds or something, if ther is a file in there do a chown to some other user.

This could be done in a script, but I'm no script geenie so I can't help out with that.

Regards
/Hans - Erik Skyttberg

0
 
LVL 2

Expert Comment

by:jimbb
ID: 8035628
If it would be acceptable for the user to keep writing to the same file (appending new text to it) instead of writing new files, you could use 'chattr' to set the append-only flag on the file.
0
 

Author Comment

by:ijg0
ID: 8035654
They are .jpeg files!
0
 
LVL 2

Expert Comment

by:perldork
ID: 8037987
You could do a small daemon that monitors for ssh connectionts to that account (by looking for connect messages to that account in /var/log/secure)

Feb 24 01:21:11 XXX sshd[757]: Accepted password for user

when it receives that message, it could fork a child who would monitor the life of the ssh process, and, as soon as the process disappears, run

chattr +i

on all the jpeg files in the directory in question.

0
 
LVL 1

Expert Comment

by:arn0ld
ID: 8038316
what is the "automated process"? putty implies it runs on the windows side? is there a process for each user or a single process?

do the users require access to the repository computer for other than sending jpegs?
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8040148
Hi!

Yes it runs on client side, but you have opened a full fledged shell by doing things like this ?

Why no create and use certificates instead and if this is one special user that everyone uses to upload files.

For that user only allow the use of scp, not ssh.
That way they wouldn't be allowed to actually login and get a shell.

That way you disable their chances to delete the uploaded file.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:ijg0
ID: 8041095
Thanks for all your help guys. As this question is longer than I thought I have increased the points accordingly.

Using scp instead of ssh seams a good idea. Files are generated on the client computer (yes windows xp!) as jpeg files and avi files from a capture card. I want to copy these to a secure location on a linux box. I will need shell access to the linux box but the other users don't.

Currently I can login by both ssh and scp. How can I  change this so that certain users can only login via scp?

Thanks for your Help
ijg0
0
 

Author Comment

by:ijg0
ID: 8041099
By the way there are many different users uploading files into their own directories from many different computers :)
0
 
LVL 1

Assisted Solution

by:AnhLePhuoc
AnhLePhuoc earned 148 total points
ID: 8041193
After transferring file to the target linux server using PUTTY pscp or psftp you need to give away the file ownership to another user. The problem is that you can only do that as the super user.

You can do one of 2 things:
1) Execute a root SUID command (or one the equivalents) by placing that command in a script file on the Windows side and invoke  it with the PUTTY -m option.

For example:
On Linux server, in the script  "give_away.bash"
#!/bin/bash
chown <new_user> $*

Make the script executable, and add it to the sudoer list for the transfer user.

On Windows machine, in the ssh command script file "change_owner"
  sudo /appropriate_path/give_away.bash  <the_file> .....

And schedule the command:
  putty.exe -m change_ownner ..etc...
to run immediately after the file transfer


2) You can have a root run script running on the Linux server waiting for a trigger to execute the chown command. The trigger can just be a file of predefined name.
The script can be something like

#!/bin/bash
cd <<<< The file transfer directory >>>>>
while true; do
  if [ -f  TRIGGER_FILE ]; then
    chown <new_onwer> *
  fi
  sleep 10
done

This behaves rather like a cron job that runs every ever 10 seconds but that would be very resource consuming.
This simple script consume very little resource.

Then after sending other files to the server you can send the empty file TRIGGER_FILE as the file to trigger things off.


Good luck


0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8041942
Hi!

If you have many users uploading files into their own dirs, why would you want to stop them from deleteing them ?

If you have 30-40 users or more doing a script that or daemon that checks all thoose directories will eat up the resources on your computer.

I still recommend you change their accounts and only allow scp for the users, that way they can't delete uploaded files.

They might be able to overwrite a uploaded file.

But this will only work if the users dosen't really have need of shell access.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:ijg0
ID: 8042199
I am thinking of going along with the scipt checking route. I don't think there should be much of a problem running the scripts and resources but this is something that I will need to check - I will set the time delay longer than 10 though.

heskyttberg - you mention using scp instead of shell access. This also seems a good idea. I don't know much about scp except for using it on the odd occasion. How can I do this (preventing ssh logon).

I will try both methods and award the points to the best.

Thanks.

ijg0
0
 

Expert Comment

by:CleanupPing
ID: 9087836
ijg0:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 9260366
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is to:

Points split between heskyttberg and AnhLePhuoc

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Paul
EE Cleanup Volunteer
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
The purpose of this article is to fix the unknown display problem in Linux Mint operating system. After installing the OS if you see Display monitor is not recognized then we can install "MESA" utilities to fix this problem or we can install additio…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…
How to Install VMware Tools in Red Hat Enterprise Linux 6.4 (RHEL 6.4) Step-by-Step Tutorial
Suggested Courses
Course of the Month15 days, 2 hours left to enroll

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question