I have a user Bob on a RHEL 7 server1. Where his script area is "/home/Bob/scripts/" and he is the owner for this directory.
On the server1, there is a NFS mount from another server2, with path as "/global/work/" and Bob is the owner for this directory too in server2. (Same UID and GID on both servers).
Now per policy, the "/global/work/" in Server1 is only for reference purpose, but should NOT execute any scripts from here. Because those are suppose to execute from Server2 only.
So how can I restrict, Bob, the owner of both, not to run any shell script from "/global/work" from server1, but allow him to do all other work as normal.
If you do not need to execute any scripts in "global/work/ on Server 1 , you can change the permissions and remove the "x" (execute) permission using chmod .
Keep in mind that this script is not executable:
ls -l test.sh
-rw-r--r-- 1 owner wheel 0 Oct 25 10:41 test.sh
this script is executable by anyone:
chmod 755 test.sh
ls -l test.sh
-rwxr-xr-x 1 owner wheel 0 Oct 25 10:41 test.sh
How about mounting the NFS share read-only / noexec no the reference server ?
User will still be able to execute the script in that directory/mountpoint using bash script.sh
Read only would stop write on that same filesystem if that would help.
Even if you do all possible magic, a shell access and permissions would still allow user Bob to copy / change / execute the shell code on server1.
Actually, i cannot think of a way to stop user Bob of being Bob in your use case, no matter which server is in question.
Perhaps someone else here has some bright idea
Mounting with noexec can prevent from accidental run of an executable.
E.g. when clicking on an executable script in a file manager, it might open it in a text editor.
