A text file is situated in /opt/somefolder. It contains a pair login - password read by an application when authenticating on a server. The application is run by a regular user, so that the file can be also read by a regular user. The question is whether there is a way to restrict anyone but root and the application from reading the file.
Asked
Active
Viewed 499 times
6
-
Probably overkill, but encrypt the file with a GPG key, put that key in root's keyring, and embed the key in the app's source code (split up, xor'd, etc as needed according to your threat model). – Mike Ounsworth Dec 10 '15 at 00:14
-
Write that capability into the kernel's code and recompile it. – iAdjunct Dec 10 '15 at 01:45
-
Is 'regular user' one user, or many users who are not root? – amccormack Dec 10 '15 at 17:26
1 Answers
4
Create a new user called X. Make the file only readable by X. Change ownership of the app file to X and make it setuid. Now only the app and root can access the file.
Neil Smithline
- 14,621
- 4
- 38
- 55
-
2Why SETUID? Shouldn't `chown`ing and `chmod 0600`ing the file do the trick? – StackzOfZtuff Dec 10 '15 at 07:14
-
Classically, have the data owned by X readable only by owner, and the **application** SUID to X but *executable* by the desired user(s). This only works for a 'native' app; apps using interpreters like Java, python, perl/php need the *interpreter* SUID-to-X and that's usually too big a hole. On modern systems, instead use `sudo` to let the desired user(s) run the application as X, but not do anything else as X. – dave_thompson_085 Dec 10 '15 at 09:40
-
-
@dave_thompson_85 - I still think you can use setuid. You could put it on a script that calls the interpreter. If user X only has permission for accessing the one file, it's not a security problem. – Neil Smithline Dec 10 '15 at 15:10
-
Thank you! By the way the output generated by the application belongs to the setuid'ed user, so that it can not be deleted by a user that started the application. It looks like it is enough to read the output files, but ability to delete old output files would be great as well. – Evgeny Dec 12 '15 at 10:49
-
1You can try playing around with [seteuid](http://man7.org/linux/man-pages/man2/seteuid.2.html) @Evgeny. That will change the UID of the app back to the calling user's UID. You must open the protected file before calling seteuid so the order should be: app starts, app opens protected file, app sets EUID back to real UID. Google `effective real UID` for more info. – Neil Smithline Dec 12 '15 at 15:33
-
@NeilSmithline, what do you think of the following? 1. The real user running the app and the owner of the app are added to a new group 2. create a directory for the output 3. change permissions for the output directory so that members of the group from step 1. can write to this directory (i.e. rwx) 4. run the app The steps 2.-4. are repeated for every input. The output directory can be read and written to by the real user. This is what has been meant to achieve. However the solution seems a bit clumsy. What is more it is not obvious that the solution will work for all Linux distributions. – Evgeny Mar 23 '16 at 22:39