2

Is it possible in OS X (Assume 10.7+) to disable execution of any file (even files in subdirectories) of a specified folder?

I don't mean with chmod, but with some kind of security framework. Ideally there would be some way to apply a policy to a folder that would affect all children.

Imagine:

/path/to/folder/: <- policy applied here
    file_a
    subfolder_a/:
        file_b
        subfolder_b/:
            file_c

None of file_a, file_b, or file_c would be able to be executed.

For some background, I'm trying to disallow users from running any programs under their home directory.

korylprince
  • 169
  • 1
  • 1
  • 9
  • I believe permissions and chmod are the "security framework" you're looking for... and the foundation of security on *nix based OSs. – Krista K Jan 14 '14 at 12:42

2 Answers2

2

You may want to use an Access Control List because they provide inheritance and more fine grained control...

The folowing has NOT been tested in production. ymmw

Prevent the user from giving herself back the right:

chmod +a "user:jane deny write-security directory-inherit" /path/to/folder

Deny execution right for all files already contained in /path/to/folder

chmod -R +a "user:jane deny execute" /path/to/folder/

Deny execution right for all files not yet contained in /path/to/folder

chmod +a "user:jane deny execute file-inherit" /path/to/folder/

Details here: Apple man page for chmod

Erik Cayré
  • 61
  • 2
0

You can accomplish this via nuances of owner and group permissions. From my understanding, OSX is linux-like?

If you don't care if users can create files or folders you can chown all the files to a user other than them, which prevents them from being able to chmod themselves execution permission. If the files are 664 root:users and the user is in the users group, they can edit the file at will.

To prevent the user from creating a file (and thus owning it able to chmod it 7xx), you can chown the directories to a different user, say chown staff:users directory. For this, you need a "staff" user. You could chmod 555 (or 551 or 550) the directories and 664 the files. But that's not very usable... dirs need to be executable to cd to them, readble to ls them, and writable to create or delete files and subfolders. This policy is somewhat draconian.

Or make chmod and chown such that normal users cannot run them to make their own files executable. Someone in "staff" group can use it but not general users, which is an ok compromise:

# From:
/bin$ ls -alh ch*
-rwxr-xr-x 1 root root 59K Jan 26  2013 chgrp
-rwxr-xr-x 1 root root 55K Jan 26  2013 chmod
-rwxr-xr-x 1 root root 63K Jan 26  2013 chown

# To:
/bin$ ls -alh ch*
-rwxrwx--- 1 root staff 59K Jan 26  2013 chgrp
-rwxrwx--- 1 root staff 55K Jan 26  2013 chmod
-rwxrwx--- 1 root staff 63K Jan 26  2013 chown

Research using umask to see if there's a way you can prevent users from creating a file with execute permissions set, which when combined with the above file permissions, can do away with the silly ownership of their directories.

Pay attention to cascading effects when playing with permissions and try to envision all ways something can go wrong or be defeated. Hack yourself to see what happens.

The best flexibility is combining some of the above with careful use of the owner and group "sticky" bits. They can be set so that when users create files or directories, they "stick" with the inherited ownership. I do this with the shared RAID on our Samba server so my Windows people have a proper experience.

The find command is a powerful tool to help do the above:

Change all subdirs from 500 to 770 permissions (to repair a previous chmod -R screw up):

find . -type d -perm 500 -print0 | xargs -0 chmod 770

Change all files below (and subdirs) with permissions 644 to 664, which gives group permission to edit files: awesome for web server files edited from Windows on a Samba share:

find . -type f -perm 644 -print0 | xargs -0 chmod 664
Krista K
  • 519
  • 7
  • 20