0

In our system, we have two users "admin" and "customer", customer is part of group customers. We need customer to only be able to execute certain programs which we've decided he's allowed to, and not read or write to any configuration files. Said programs can access configuration files, but customer cannot interact (read/write) with them directly. All relevant programs and config files, are stored inside admin.

I don't have much experience with Linux. So what I've tried is creating two programs, one that writes to file called WriteFile, and another which reads a file called ReadFile.

Both programs have the following permissions:

-rwx--x--- 1 admin customers ... ReadFile
-rw------- 1 admin customers ... config.txt
-rwx--x--- 1 admin customers ... WriteFile

This question gave me an idea of using setuid in ReadFile/WriteFile, but whenever I tried running setuid as customer setuid always returned -1.

With this question it seems like my only option is to give customer root access, which I don't really feel comfortable with.

Unless that's the only solution, is what I'm describing even possible? Thanks in advance.

JosefLintz
  • 1
  • 2
  • I miss a bit of the problem: what is wrong with the permissions you show? all 3 as you show now should not be editable or readable? Only executable. Mind that there is also the `-i` (immutable) it makes a file impossible to edit unless root https://askubuntu.com/questions/1198077/how-to-set-file-to-immutable-for-all-user-root-user-also-and-no-one-can-modify – Rinzwind May 24 '22 at 10:05
  • Right, I don't want customer to access the file. Unless he used ReadFile or WriteFile. The 2nd question I mentioned seems to be a fairly valid solution. I can give sudo permissions to customer for only a very specific file, without them needing to enter sudo passowrd. I still need to do some more tests, to ensure that this solution fits our case – JosefLintz May 24 '22 at 10:10

0 Answers0