From owner-freebsd-questions@FreeBSD.ORG Tue Jan 9 19:55:41 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id DA22516A403 for ; Tue, 9 Jan 2007 19:55:41 +0000 (UTC) (envelope-from brett@net24.co.nz) Received: from srv.exchange.net24.net.nz (srv.exchange.net24.net.nz [210.55.4.16]) by mx1.freebsd.org (Postfix) with ESMTP id 6340B13C442 for ; Tue, 9 Jan 2007 19:55:41 +0000 (UTC) (envelope-from brett@net24.co.nz) X-MimeOLE: Produced By Microsoft Exchange V6.5 Content-class: urn:content-classes:message MIME-Version: 1.0 Date: Wed, 10 Jan 2007 08:55:37 +1300 Message-ID: <60224D09909C0B43A50935A0893D8FF31DA34E@srv.exchange.net24.net.nz> X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Topic: Permissions advice needed. Thread-Index: AcczuQW3tJHTUXItQASK8W6YmfPXsgAbt8Cw From: "Brett Davidson" To: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org Subject: RE: Permissions advice needed. X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 09 Jan 2007 19:55:41 -0000 Unfortunately, as I expounded to Malcolm Lay, in this application (a shared-hosting webserver) suexec is being used which does not traverse symbolic links. :-( =20 MAC_BSDEXTENDED in Bsd6.2 solves the problem very nicely. =20 Cheers, Brett. =20 =20 ________________________________ From: George Vanev [mailto:george.vanev@gmail.com]=20 Sent: Tuesday, 9 January 2007 7:42 p.m. To: Brett Davidson Subject: Re: Permissions advice needed. Brett, =20 Why don't you make a symbolic link to that file. You may set read, write and execute permissions if you wish... doesn't matter. The users will be able to run your executable via the link, but they won't be able to modify it. =20 On 1/8/07, Brett Davidson wrote:=20 I have a curious problem. =09 I need an executable file to be owned by a user's uid and gid so they=20 can run it. HOWEVER, I don't want them to be able to modify or delete the file and/or it's permissions. Another program will do that. =09 This, under standard Unix permissions, is a tad difficult. :-)=20 =09 ACL's don't help here as the owner of a file has the ability to change permissions. =09 I could set the immutable bit (Linux term for the schg flag) but the modifying program does not recognise this flag and will thus fail to=20 modify the file. (I have no control over the modifying program). =09 Any ideas? =09 I don't want to go down the line of using BSD MAC but I'm starting to think I may have too just to be able to prevent the user from modifying=20 ONE file! (I'm not even sure I could implement this using MAC anyway). =09 Cheers, Brett. _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to " freebsd-questions-unsubscribe@freebsd.org " =09 --=20 George Vanev