I want to index some files and keep a registry as part of a utility I am writing in BASH. So, my tool would go to a massive directory and write some essential information about each file it finds there to another file that I would like to call "myregistry." The file would only be rewritten if the user asks it to - since going through a large file structure and "indexing" it this way would take considerable time.
I want this file to not show up when the user does ls in the directory where it is contained. In addition, I want the user to have no privileges with it at all - the user should not be able to open it up on vim or anything, not even to just look at it.
However, if the user executes my script again, I want the user to have the option of getting some information out of the file from there. I also want the script to have the permissions to look at the file and add or delete things from it, if the user prompts it to. But the user should not be able to do anything to it directly.
How can I do this? It would require using chmod but I have no idea how to put it together.
I'm thinking:
# Enable write permission
# Do Something - ensure that no one else is writing to this file
# Disable write permission
On Unix, you're more or less on an equal footing with other processes that run under the same user. Whatever you can do, they can do. If you can hide and unhide something, so can they. Interpreted scripts need read permissions to run, so it's not like you can hide any secrets in your executable. If you can however, distribute your software as a binary, you'll be able to run without being readable. Then you can hardcode a secret into the binary and use it to encrypt and decrypt files. Users will be able to run your binary, but only the superuser will be able to get the secret and decrypt your registry. That's real security (against regular (nonroot) users) (especially if you manage to create and embed the secret at installation time).
Playing with dotfiles and permissions won't fool any advanced user.
Something like this work? write_index and read_index are your work.
cd massive_dir
TFILE=$(mktemp --tmpdir=.)
write_index >$TFILE
mv -f $TFILE .index
chmod a-rw .index
To read
chmod +r .index
read_index .index
chmod -r .index
Note that no locking is needed because of the temp file. mv is atomic.
Related
I am working with the automated test suite of a software project. I have an automated test case that should verify that the code works correctly when a specific file is found, but the program does not have proper permission to read the contents of that file. This test case is currently working on Linux and macOS, but I am trying to get it to work on Windows as well.
The file is created by the test process, modified to have the read permission removed, and then the code tries to read the file, and the test verifies that the code fails in the expected way. After the test has run, the permissions are restored (if necessary), and the file is removed.
On Linux and macOS the read permission is removed by chmod 000 unreadable.txt, which makes the file unreadable by everyone (except root). I am trying to find a similar solution on Windows, where I can make this test file unreadable by the current user using command line tools, so the tested program can fail.
From my understanding, a command like icacls unreadable.txt /deny 'Everyone:(RC)' should have done the trick. icacls confirm the deny rule:
Everyone:(DENY)(Rc,S)
but I have nevertheless full access to read the file.
I've tried various incantations of calls to icacls and cacls, with different combinations of trying to explicitly denying for my specific user account, etc. All to no avail.
I'm starting to wondering, is is impossible in Windows to disallow the owner of a file from reading it?
Or, if it is possible, what is the command line I need to make the file unreadable by the owner?
I need to know if it is possible to create a read only directory from windows command line.
I know it is possible to use chmod and make files read only. But what I need is to create a folder and then immediately set it as read only upon creation. Trying to create new files inside this directory should then throw an error.
This can be done manually by modifying folder permissions using the gui. But, I need to do it from cmd for some tests.
I tried
attrib +r dirPath
But this only works for files and not for the whole directory.
Any help is appreciated.
EDIT:
A background to me problem. I need to test the behavior of a software that writes some text files. I want to test a use-case when I ask the software to write to a read only directory. I want to see I handle the exceptions correctly and inform users appropriately.
I want to make a shell script, which is executed when it is clicked on. I know you can do this with the Terminal command chmod u+x (filename) but I want to be able to send the file let's say by email or scp, and it should still be executed when clicked on by the new user.
I don't really think that is possible. The executability of the file is not an attribute within the file which tells the system to execute it. Its something you tell the system to do. I guess it is a security measure, regarding running maybe a risky command, lets say, rm -rf an important system folder.
I am the owner, as shown by ls -alts, but for whatever reason, I can't change the permissions of the files like I want. I want to make the file read only:
chmod 400 <file-name>
however, the ls -al still shows -rwxrwxrwx.
The file is on an external drive. I know that sometimes this causes issues when users want to read and write. However, in this case, I'd like to make the access to my files more restrictive not less restrictive.
I checked out this SO question but I don't see an option to make the permissions more restrictive.
thanks.
You can't change the permissions on the file because it's on a FAT32 volume, and that volume format does not support storing file permissions (see, for example, this askubuntu question). But if all you want to to is make the file read-only, you can get that effect by locking it (and the lock attribute is supported on FAT32). You can either use the Finder's Get Info window (check the "Locked" box), or use the command chflags uchg <file-name>.
I have a binary script along with a key file and required libs in a folder on my shell. There are 3 users on the shell currently whom I want to allow to run the binary script. Each user who runs it runs it as a separate instance/process. In order to start, the script is run by using an .sh file which specifies the location of the binary and its libs. For example, ./script.sh is the command.
I have the script currently in /home/script/user (will create also dir called /user2 for other user) where script is a new user I created for it. User runs the .sh from their homedir and then it automatically writes a config file in /home/script/user. I have been playing around with chmod because I don't want anyone to be allowed to steal the script or any of its contents inside the directory. To summarize, I only want users to be able to execute the binary and read the libs and key file as well as write their config to respective user directory in /home/script/. I don't want to allow them to delete, edit, copy, or download anything inside the /script directory. Currently only the binary can't be altered in anyway, but the key file and libs are able to be copied or downloaded. I couldn't figure out how to chmod the key and libs so that they can't be copied etc, only read to run binary successfully.
Please let me know how I can accomplish my permission goals and/or if there is another or easier way to do this. Thanks.
I believe you can achieve most of what you want with chmod and groups. So to allow a bunch of users to run a script you'd create a group, add them to it. Create a group and add users to it like this:
groupadd <groupname>
usermod -a -G <groupname> <username>
Then to make a file only executable by a group you'd run
chgrp <groupname> <file>
chmod g+x <file>
Unfortunately because of the way that chmod works you cannot allow a file to be read but not copied. This is because chmod works with read, write and execute permissions and if you can read you can copy.