2

Help me to learn if this scenario is doable using Linux. I want to secure the access to a system path called "/mnt/data".

System users retrictions:

  • 'daemon_user': read/write access.
  • 'read_user': only read.
  • 'appender_user': add files but NOT delete or overwrite existing ones.

'daemon_user' constantly creates new files so the "do not delete/overwrite" restriction has to apply for the new files created as well.

Note: Initially I discard to use 'chattr' since that applies to all users, including root. I don't want that level of restriction.

Improve this question
3
  • Could you describe the real problem? xyproblem.info
    – Mircea Vutcovici
    Commented Jun 8, 2020 at 14:58
  • Sure, I want to prevent "appender_user" to be able to replace files at /mnt/data". /mnt/data" files are created and used by "daemon_user" and if "appender_user" gets to replace a single file we potentially lose data.
    – MrCatacroquer
    Commented Jun 8, 2020 at 15:02
  • What are your requirements for performance and POSIX compatibility?
    – Mircea Vutcovici
    Commented Jun 9, 2020 at 13:26

1 Answer 1

Reset to default
1

You can implement daemon_user and read_user with POSIX extended ACLs (getfacl, setfacl, chmod, chown). For appender_user you can use append attribute (chattr +a filename, lsattr), but this would limit for all users.

Another way to implement this is to use a service that limits the access to those files. E.g. you share the files with samba and you use Windows ACLs that have append only attribute.

Another way to implement appender_user is to create a SELinux targeted policy. See how httpd_sys_ra_content_t was implemented.

Improve this answer
2
  • "For appender_user you can use append attribute (chattr +a filename, lsattr), but this would limit for all users." -> tested this but it's too much restrictive, it affects the "daemon_user" and the setup doesn't work.
    – MrCatacroquer
    Commented Jun 8, 2020 at 15:04
  • You might need to write a SELinux policy to achieve this.
    – Mircea Vutcovici
    Commented Jun 8, 2020 at 18:43

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .