Web lists-archives.com

Re: How to set access permissions to protect a database file?




On 2019-05-26 05:32, David Christensen wrote:
On 5/25/19 8:12 PM, mick crane wrote:
On 2019-05-26 00:49, Markos wrote:
Hi,

I made a program (reading_room.tcl), with Sqlite running on Debian 9,
to control the books of a reading room.

I implemented an authentication system for common users and
administrator users in the reading_room program.

Now I want that any user logged in the Linux be able to run the
program reading_room.tcl, which will access the database (books.db)

But I want to protect the file books.db so that only the the program
reading_room.tcl can access the books.db file. But that no user could
delete or write to the file books.db (only the program
reading_room.tcl)

Please, how can I configure the system to do that?

How to define the permissions?

I'll have a go, sure I'll get pulled up if off.

read 4, write 2, execute 1?? add these together for permissions
owner, group, anybody

I never did anything on a PC with other people having access so I never made a file only executable by anybody but I don't see why not.
As you wrote reading_room.tcl presume that belongs to you.
I don't know anything about tcl as yet but assume it's executable as it is and does something. You may have a group librarians that want to have read/write access to reading_room.tcl
Assume you have backups of the files.
guess books.db wants to be 644
"su -"
"chmod 644 books.db"
 ??or if the librarians want write access to it.
"chown you.librarians books.db"
"chmod 664 books.db"

"chown you.librarians reading_room.tcl"
"chmod 771 reading_room.tcl"

mick


I don't believe there is a solution using just read, write, and mode
bits and group membership.  (Perhaps, there is a solution if you also
use access control lists?)


Suppose I have a Perl script "shared-program.pl" (sorry, I don't know
TCL) that reads a line from the terminal, lower cases the line, and
then writes the line to the terminal.  If the line contains the word
"write', the line is also written to a data file "shared-program.dat":

2019-05-25 20:31:43 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*

2019-05-25 20:31:49 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.pl
#!/usr/bin/env perl
use strict;
use warnings;
use FindBin	qw( $Bin );
use File::Slurp;
use constant DATAFILE => "$Bin/shared-program.dat";
print "$0 >";
my $line = <>;
$line = lc $line;
write_file(DATAFILE, {append => 1}, $line)
    if $line =~ /write/;
print $line;


If I run the program as the owner, it works as expected:

2019-05-25 20:34:01 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >Hi, Dave!
hi, dave!

2019-05-25 20:34:15 dpchrist@tinkywinky ~
$ sandbox/perl5/shared-program.pl
sandbox/perl5/shared-program.pl >write Bye, Dave!
write bye, dave!

2019-05-25 20:35:09 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-r--r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat

2019-05-25 20:35:22 dpchrist@tinkywinky ~
$ cat sandbox/perl5/shared-program.dat
write bye, dave!


The mode of 755 on the script allows other group members and all other
users to run the script:

tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Hello, Tinky Winky!
hello, tinky winky!


But, if I clear the world read bit on the script:

2019-05-25 20:35:24 dpchrist@tinkywinky ~
$ chmod o-r sandbox/perl5/shared-program.pl

2019-05-25 20:38:08 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-x--x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*


Other users are not able to run the script because the Perl
interpreter cannot read the script:

tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
Can't open perl script
"/home/dpchrist/sandbox/perl5/shared-program.pl": Permission denied


(It might be possible for other users to run binary programs with just
the world execute bit set?)


So, the world mode needs to be read+execute for other users to run
scripts they do not own:

2019-05-25 20:59:32 dpchrist@tinkywinky ~
$ chmod o=rx sandbox/perl5/shared-program.pl

2019-05-25 21:05:53 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.pl
-rwxr-xr-x 1 dpchrist dpchrist 267 2019-05-25 20:31:35
sandbox/perl5/shared-program.pl*

tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >Blah Blah Blab
blah blah blab


Focusing on the data file, let's add the other user to the file's group:

2019-05-25 20:49:08 root@tinkywinky ~
# usermod -a -G dpchrist tinkywinky

2019-05-25 20:50:33 root@tinkywinky ~
# grep dpchrist /etc/group | grep tinkywinky
dpchrist:x:13250:tinkywinky


Log out and log in again as the other user to obtain the new group membership.


Enable the group write bit on the data file:

2019-05-25 21:09:45 dpchrist@tinkywinky ~
$ chmod g+w sandbox/perl5/shared-program.dat

2019-05-25 21:11:50 dpchrist@tinkywinky ~
$ ll sandbox/perl5/shared-program.dat
-rw-rw-r-- 1 dpchrist dpchrist 17 2019-05-25 20:35:09
sandbox/perl5/shared-program.dat


Now the script can write to the data file when the script is run by
other users in the same group:

tinkywinky@tinkywinky:~$ /home/dpchrist/sandbox/perl5/shared-program.pl
/home/dpchrist/sandbox/perl5/shared-program.pl >write Yada Yada
write yada yada

tinkywinky@tinkywinky:~$ cat /home/dpchrist/sandbox/perl5/shared-program.dat
write bye, dave!
write yada yada


But, those other user can also trash the data file directly:

tinkywinky@tinkywinky:~$ echo "Muahahahahaha"  >
/home/dpchrist/sandbox/perl5/shared-program.dat

tinkywinky@tinkywinky:~$ cat /home/dpchrist/sandbox/perl5/shared-program.dat
Muahahahahaha


This is situation the OP wants to avoid.


David

well that would be people in the supposedly trustworthy librarians group. I did wonder if executable file would have to world readable as well as executable but possibly there might be passwords in it, however that works.
mick@slinky:~$ ls -la test1
---x--x--x 1 mick mick 25 May 26 05:56 test1
mick@slinky:~$ ./test1
/bin/bash: ./test1: Permission denied

seems tcl files can be made self contained executable so that might get over it being readable.

mick


--
Key ID    4BFEBB31