Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

File permissions

Posted on 2003-02-27
17
Medium Priority
?
629 Views
Last Modified: 2008-02-01
I want a user to be able to write a file to a directory on my linux server. When they write a file they must not be able to delete or change that file in any way - i.e. their permissions must be changed to read.

How can I do this?
0
Comment
Question by:ijg0
17 Comments
 
LVL 8

Accepted Solution

by:
heskyttberg earned 152 total points
ID: 8032977
Hi!

But if you are talking about FTP it's a diffrent story, this might be configured in the FTP servers conf file.

I'd recomend you checkout PROFtpd.

I don't think this can be done if the users login to a regular shell.

Regards
/Hans - Erik Skyttberg
0
 
LVL 1

Expert Comment

by:donnyr10
ID: 8033311
You may want to take a look at umask command

http://unixhelp.ed.ac.uk/CGI/man-cgi?umask+2

However your question may be aliitle more Involved
a script to convert the files in that folder
to r amy be required..

If it's FTP you need, there is more work
wu-ftp (Washington University) FTP is standard
on most Linux Systems

Execute rpn -qf /usr/sbin/in.ftp to see your package

In /etc/xinetd.d/wu-ftpd
disable=yes

Run vi change it to =no
Save the file >> restart the Server
/etc/rc.d/xinitd.d/xinetd restart

There is more to this so
If you need more Info please ask..

Take Care
./Donny
0
 

Author Comment

by:ijg0
ID: 8033368
Sorry - i don't think I put enough description in my question. The files are copied to the server will be copied using ssh (putty) via an automated process. I want to prevent the user from deleting these files after they have been copied.

If I run a cron job then there will be the possibility of the user deleting the files between the files being copied and the cron-job running. This should not be a problem if the cron-job runs every 10minutes or so.

What should the cron job do?

Thanks

ijg0
0
Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

 

Author Comment

by:ijg0
ID: 8033384
If i run use the umask command the user can just change the permissions back as they will be the owner of the newly created file?
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8033449
Hi!

I'd say it can't be done, but that sin't quite true.
What I can say it's not easily done.

If they use ssh to login, they have a true shell and will always become owner of that file.

This means you don't really want to change the file permissions, what you want is change owner.

This isn't easily accomplished, you would nees a daemon running that will check the dir for new files every 20 seconds or something, if ther is a file in there do a chown to some other user.

This could be done in a script, but I'm no script geenie so I can't help out with that.

Regards
/Hans - Erik Skyttberg

0
 
LVL 2

Expert Comment

by:jimbb
ID: 8035628
If it would be acceptable for the user to keep writing to the same file (appending new text to it) instead of writing new files, you could use 'chattr' to set the append-only flag on the file.
0
 

Author Comment

by:ijg0
ID: 8035654
They are .jpeg files!
0
 
LVL 2

Expert Comment

by:perldork
ID: 8037987
You could do a small daemon that monitors for ssh connectionts to that account (by looking for connect messages to that account in /var/log/secure)

Feb 24 01:21:11 XXX sshd[757]: Accepted password for user

when it receives that message, it could fork a child who would monitor the life of the ssh process, and, as soon as the process disappears, run

chattr +i

on all the jpeg files in the directory in question.

0
 
LVL 1

Expert Comment

by:arn0ld
ID: 8038316
what is the "automated process"? putty implies it runs on the windows side? is there a process for each user or a single process?

do the users require access to the repository computer for other than sending jpegs?
0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8040148
Hi!

Yes it runs on client side, but you have opened a full fledged shell by doing things like this ?

Why no create and use certificates instead and if this is one special user that everyone uses to upload files.

For that user only allow the use of scp, not ssh.
That way they wouldn't be allowed to actually login and get a shell.

That way you disable their chances to delete the uploaded file.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:ijg0
ID: 8041095
Thanks for all your help guys. As this question is longer than I thought I have increased the points accordingly.

Using scp instead of ssh seams a good idea. Files are generated on the client computer (yes windows xp!) as jpeg files and avi files from a capture card. I want to copy these to a secure location on a linux box. I will need shell access to the linux box but the other users don't.

Currently I can login by both ssh and scp. How can I  change this so that certain users can only login via scp?

Thanks for your Help
ijg0
0
 

Author Comment

by:ijg0
ID: 8041099
By the way there are many different users uploading files into their own directories from many different computers :)
0
 
LVL 1

Assisted Solution

by:AnhLePhuoc
AnhLePhuoc earned 148 total points
ID: 8041193
After transferring file to the target linux server using PUTTY pscp or psftp you need to give away the file ownership to another user. The problem is that you can only do that as the super user.

You can do one of 2 things:
1) Execute a root SUID command (or one the equivalents) by placing that command in a script file on the Windows side and invoke  it with the PUTTY -m option.

For example:
On Linux server, in the script  "give_away.bash"
#!/bin/bash
chown <new_user> $*

Make the script executable, and add it to the sudoer list for the transfer user.

On Windows machine, in the ssh command script file "change_owner"
  sudo /appropriate_path/give_away.bash  <the_file> .....

And schedule the command:
  putty.exe -m change_ownner ..etc...
to run immediately after the file transfer


2) You can have a root run script running on the Linux server waiting for a trigger to execute the chown command. The trigger can just be a file of predefined name.
The script can be something like

#!/bin/bash
cd <<<< The file transfer directory >>>>>
while true; do
  if [ -f  TRIGGER_FILE ]; then
    chown <new_onwer> *
  fi
  sleep 10
done

This behaves rather like a cron job that runs every ever 10 seconds but that would be very resource consuming.
This simple script consume very little resource.

Then after sending other files to the server you can send the empty file TRIGGER_FILE as the file to trigger things off.


Good luck


0
 
LVL 8

Expert Comment

by:heskyttberg
ID: 8041942
Hi!

If you have many users uploading files into their own dirs, why would you want to stop them from deleteing them ?

If you have 30-40 users or more doing a script that or daemon that checks all thoose directories will eat up the resources on your computer.

I still recommend you change their accounts and only allow scp for the users, that way they can't delete uploaded files.

They might be able to overwrite a uploaded file.

But this will only work if the users dosen't really have need of shell access.

Regards
/Hans - Erik Skyttberg
0
 

Author Comment

by:ijg0
ID: 8042199
I am thinking of going along with the scipt checking route. I don't think there should be much of a problem running the scripts and resources but this is something that I will need to check - I will set the time delay longer than 10 though.

heskyttberg - you mention using scp instead of shell access. This also seems a good idea. I don't know much about scp except for using it on the odd occasion. How can I do this (preventing ssh logon).

I will try both methods and award the points to the best.

Thanks.

ijg0
0
 

Expert Comment

by:CleanupPing
ID: 9087836
ijg0:
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
EXPERTS:
Post your closing recommendations!  No comment means you don't care.
0
 
LVL 12

Expert Comment

by:paullamhkg
ID: 9260366
No comment has been added lately, so it's time to clean up this TA.
I will leave a recommendation in the Cleanup topic area that this question is to:

Points split between heskyttberg and AnhLePhuoc

Please leave any comments here within the next seven days.

PLEASE DO NOT ACCEPT THIS COMMENT AS AN ANSWER!

Paul
EE Cleanup Volunteer
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

You ever wonder how to backup Linux system files just like Windows System Restore?  Well you can use Timeshift in Linux to perform those similar action.  This tutorial will show you how to backup your system files and keep regular intervals. Note…
Join Greg Farro and Ethan Banks from Packet Pushers (http://packetpushers.net/podcast/podcasts/pq-show-93-smart-network-monitoring-paessler-sponsored/) and Greg Ross from Paessler (https://www.paessler.com/prtg) for a discussion about smart network …
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
Connecting to an Amazon Linux EC2 Instance from Windows Using PuTTY.
Suggested Courses
Course of the Month10 days, 22 hours left to enroll

572 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question