Date: Tue, 9 Jan 2007 16:22:49 +1030 From: Malcolm Kay <malcolm.kay@internode.on.net> To: freebsd-questions@freebsd.org Cc: Garrett Cooper <youshi10@u.washington.edu> Subject: Re: Permissions advice needed. Message-ID: <200701091622.49355.malcolm.kay@internode.on.net> In-Reply-To: <45A328DE.6000209@u.washington.edu> References: <60224D09909C0B43A50935A0893D8FF31DA320@srv.exchange.net24.net.nz> <200701091532.40944.malcolm.kay@internode.on.net> <45A328DE.6000209@u.washington.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 9 Jan 2007 04:02 pm, Garrett Cooper wrote: > Malcolm Kay wrote: > > On Tue, 9 Jan 2007 06:13 am, Brett Davidson wrote: > >> I have a curious problem. > >> > >> I need an executable file to be owned by a user's uid and > >> gid so they can run it. > > > > A user does not need to own a file to be able to run it. All > > they need is execute permission. So what is the real > > problem? > > > >> HOWEVER, I don't want them to be able to modify or delete > >> the file and/or it's permissions. Another program will do > >> that. > > > > Deleting or creating a file requires write access in the > > directory containg the file reference -- it has nothing to > > do with the permissions on the file itself. > > > > Malcolm > > > >> This, under standard Unix permissions, is a tad difficult. > >> :-) > >> > >> ACL's don't help here as the owner of a file has the > >> ability to change permissions. > >> > >> I could set the immutable bit (Linux term for the schg > >> flag) but the modifying program does not recognise this > >> flag and will thus fail to modify the file. > >> (I have no control over the modifying program). > >> > >> Any ideas? > >> > >> I don't want to go down the line of using BSD MAC but I'm > >> starting to think I may have too just to be able to prevent > >> the user from modifying ONE file! (I'm not even sure I > >> could implement this using MAC anyway). > >> > >> Cheers, > >> Brett. > > Make a specialized setuid script or program to do that, and > set the sticky bit appropriately if you don't want them to > have direct access to the file. Just make sure that others > don't have access to the file. > > Why does he need access to aliases though? For mail program > purposes? -Garrett I think you may have mixed up two threads with very similar subject lines. I see no reference to aliases in this thread. (Confusing isn't it) Malcolm
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200701091622.49355.malcolm.kay>