Does ACL can only grant/deny access for specific command?

devyfong · March 10, 2010, 3:53am

Dear AIX/UNIX experts:

I have a demand to restricted a file to be copy by others, but this file must can be read by others/Applications.

As I tried, the chmod command cannot fulfill this requirement. But not sure if the ACL can achieve this function or not ?

Could anybody give me your valuable advice ?

Thanks a lot!

David

amitranjansahu · March 10, 2010, 4:01am

check this link

http://en.wikipedia.org/wiki/File\_system_permissions

If u want to achieve this give read permission to all

chmod 444 filename

For full permision to the user and read permission to others & group.

chmod 744 filename

devyfong · March 10, 2010, 4:05am

Hi amitranjansahu,

Thanks for your response.

Your solution would allow the other user can copy the file!

What I want is: allow the other user to read but restrict them to copy that file.

pludi · March 10, 2010, 4:15am

Just a question: how exactly should the system differentiate between a user reading the file, and a user reading the file and saving the contents to a different file? That would only work if you could restrict the read permission to a certain program, and only that program, which isn't possible with AIX ACLs as far as I know.

devyfong · March 10, 2010, 4:29am

Hi Pludi,

Thanks for explanations. I understand what is your concern.
First, the file is not a text file(maybe compiled).
Second, I just restrict it to be used on this system only.

Thanks!

dukessd · March 10, 2010, 6:11pm

If a file can be read, it can be copied.
Simple.
If the file has read permission then the user with read permission can simply read the file and direct the output to another file, then they have a copy.
I do not think you can stop a file with read permission from being copied.
cat file > file2
Then you have a copy of file called file2.
Even if it is a bin file cat -vet file > file2 will probably make a usable copy.
How could you stop this?
Permissions and even acl will not help here.

Vit0_Corleone · March 11, 2010, 8:51am

devyfong have you tried restricted Shell?

john1212 · March 13, 2010, 3:35pm

You can hide in code of the program question of "uname-m", "pwd" "user" if something was changed you can prohibit the execution or performance of any act, for example, each rm itself.

devyfong · March 15, 2010, 2:50am

Hi Corleone,

Frankly, I have no experience about "Restricted Shell" before :(. Do you think it would be helpful to fulfill my demand? Could you please share some good example or point me to any helpful link?

Thanks a lot.
David