Just a question: how exactly should the system differentiate between a user reading the file, and a user reading the file and saving the contents to a different file? That would only work if you could restrict the read permission to a certain program, and only that program, which isn't possible with AIX ACLs as far as I know.
Thanks for explanations. I understand what is your concern.
First, the file is not a text file(maybe compiled).
Second, I just restrict it to be used on this system only.
If a file can be read, it can be copied.
Simple.
If the file has read permission then the user with read permission can simply read the file and direct the output to another file, then they have a copy.
I do not think you can stop a file with read permission from being copied.
cat file > file2
Then you have a copy of file called file2.
Even if it is a bin file cat -vet file > file2 will probably make a usable copy.
How could you stop this?
Permissions and even acl will not help here.
You can hide in code of the program question of "uname-m", "pwd" "user" if something was changed you can prohibit the execution or performance of any act, for example, each rm itself.
Frankly, I have no experience about "Restricted Shell" before :(. Do you think it would be helpful to fulfill my demand? Could you please share some good example or point me to any helpful link?