HPE Community
Operating System - HP-UX
1848161 Members
7915 Online
104022 Solutions
New Discussion

Question on directory security

 
SOLVED
Go to solution
Marie-Josee Cormier
Advisor

‎12-19-2006 06:03 AM

‎12-19-2006 06:03 AM

Question on directory security

We have a Dev+test box and a prod box

This box was at the time, available for them for production problems, as well as to check the logs, witch are located in each system's directory.

We're trying to move to a more secure environment, in wich the dev team don't have acces to the prod data.. The problem is, they need to check regularly the log files.

SetGID is set on each directory of each system.. So the log files inherits and group permissions.

What's I'd like to do, is to create a user for the prod box wich would give them only access to the log file.

Would it be possible to set like a similar GroupID bit but for a user, let's say"logviewer". So each logs that would be created would have the security set the user logviewer.

I hope I'm clear enough with this..

Please ask questions if not..

THanks!!

0 Kudos
Reply
6 REPLIES 6
Michael Steele_2
Honored Contributor

‎12-19-2006 07:36 AM

‎12-19-2006 07:36 AM

Re: Question on directory security

Hi Marie:

Going your way, "..new user who can only read a logfile..." you can try making a soft link of the logfile into the new user's home directory with read only permissions and appropriate ownership. Ownership may be an issue since changing the ownership on the softlink may also change the ownership on the original log file. So work with it.

# ln -s /dir/logfile /home/logfile_2
(* note: I believe you need a new name or you'll get an error *)

# chown newuser:group logfile_2
# chmod 400 logfile_2

-or-

if ownership becomes a problem try just changing the permissions with chmod:

# chmod 004 logfile_2
Support Fatherhood - Stop Family Law
0 Kudos
Reply
Raj D.
Honored Contributor

‎12-19-2006 07:47 AM

‎12-19-2006 07:47 AM

Re: Question on directory security

Marie,

You can make the logfile directory as readonly. So that they can read but cannot modify, USe chmod to do this,

# chmod o-xw logdir
# chmod o+r logdir

And make sure those users are as "other" user( i.e not owner or group of the logdirectory ownership.


Cheers,
Raj.
" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
KapilRaj
Honored Contributor

‎12-19-2006 07:53 AM

‎12-19-2006 07:53 AM

Re: Question on directory security

I would NFS mount the logs directory [ on prod ] on to the DEV+TEST box as 'readonly' . I will not create an account on the prod box. The dev team will login to the DEV + TEST box to check the logs.

Regards,

Kaps
Nothing is impossible
0 Kudos
Reply
Raj D.
Honored Contributor

‎12-19-2006 08:00 AM

‎12-19-2006 08:00 AM

Re: Question on directory security

Marie,

As you mentioned ,

What's I'd like to do, is to create a user for the prod box wich would give them only access to the log file.


You can create a user very well, and restrict the access using sudo (if you already have) or by using restricted shell (rsh), and by giving permission only to the "logdir" directory, where the logfiles are.

Cheers,
Raj.



" If u think u can , If u think u cannot , - You are always Right . "
0 Kudos
Reply
Raj D.
Honored Contributor

‎12-19-2006 08:07 AM

‎12-19-2006 08:07 AM

Solution

Re: Question on directory security

Marie,

With rsh you can only give those user permission to read the logfiles from the logdir.

The restricted shell environment presumes that the commands you want a user to be able to execute are available in his/her PATH. In particular, a user cannot specify a command with '/' at its beginning, 'cd' to a directory; nor can they set their PATH variable.

As for seeing that a user has the permission to execute a paricular command, that is governed by the ownership and permissions of the executable and by the ability of the user to search the directory containing the command!

And thus it will maintain the secure environment as well.


Enjoy and Cheers,
Raj.


" If u think u can , If u think u cannot , - You are always Right . "
Reply
Marie-Josee Cormier
Advisor

‎12-21-2006 06:54 AM

‎12-21-2006 06:54 AM

Re: Question on directory security

Thanks to all..
rsh did the trick.. I created users for each system logs..

links couldn't do it because each day log is a new name..

chmod 777 on a directory couldn't do it either, because of the security on the files itselfs.

THanks to all!
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.