Re: How to set access permissions to protect a database file?

To: debian-user@lists.debian.org
Subject: Re: How to set access permissions to protect a database file?
From: David Christensen <dpchrist@holgerdanske.com>
Date: Mon, 10 Jun 2019 19:52:44 -0700
Message-id: <[🔎] 91293764-9997-7091-76da-9381ea420460@holgerdanske.com>
In-reply-to: <[🔎] ed364b77-32ca-e639-7a6f-e1f37c1a5bea@c2o.pro.br>
References: <783b9468-3a66-4145-d041-9c3f170f90a5@c2o.pro.br> <6177ea5a4dddf247176d056d166c032a@gmail.com> <5e1932cb-4a55-0375-46e5-dafb3f71219d@holgerdanske.com> <a7b7aa7cd391502bdde2c6ff70cb52b3@gmail.com> <[🔎] ed364b77-32ca-e639-7a6f-e1f37c1a5bea@c2o.pro.br>

On 6/9/19 2:32 PM, Markos wrote:

Many thanks to Mick, David and Joe,
To guarantee "some" protection to the file containing the database Idecided to use the following strategy:
I created, as root, the directory /home/reading_room
And activated the "sticky bit" of the reading_room directory with thecommand:
chmod +t /home/reading_room/
And transferred, the files to the new directory with the followingaccess permissions:
reading_room.tcl  rwxr--r-x  (owner markos)

reading_room.db rw-r--rw- (owner markos)
This way other users can run the reading_room.tcl program but can't butnot edit.
And can't delete the files (.tcl or .db)

Trying to protect against Murphy, but not Machiavelli.

Thank you,
Markos


I created a test setup similar to your solution:

2019-06-10 08:23:27 dpchrist@tinkywinky ~
$ cat /etc/debian_version ; uname -a
9.9

Linux tinkywinky 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u2(2019-05-13) x86_64 GNU/Linux


2019-06-10 08:14:52 dpchrist@tinkywinky ~
$ mkdir foo

2019-06-10 08:16:33 dpchrist@tinkywinky ~
$ chmod +t foo

2019-06-10 08:29:54 dpchrist@tinkywinky ~
$ echo 'echo "hello" >> /home/dpchrist/foo/hello.txt' > foo/hello.sh

2019-06-10 08:30:08 dpchrist@tinkywinky ~
$ chmod 0745 foo/hello.sh

2019-06-10 08:30:14 dpchrist@tinkywinky ~
$ echo 'initial contents' > foo/hello.txt

2019-06-10 08:30:40 dpchrist@tinkywinky ~
$ chmod 0646 foo/hello.txt

2019-06-10 08:30:53 dpchrist@tinkywinky ~
$ ls -l foo/hello.*
-rwxr--r-x 1 dpchrist dpchrist 45 Jun 10 08:30 foo/hello.sh
-rw-r--rw- 1 dpchrist dpchrist 17 Jun 10 08:30 foo/hello.txt

2019-06-10 08:31:29 dpchrist@tinkywinky ~
$ cat foo/hello.sh
echo "hello" >> /home/dpchrist/foo/hello.txt

2019-06-10 08:31:34 dpchrist@tinkywinky ~
$ cat foo/hello.txt
initial contents


If I test it as another user:

tinkywinky@tinkywinky:~$ ls -la /home/dpchrist/foo
total 8
drwxr-xr-t 1 dpchrist dpchrist   34 Jun 10 08:29 .
drwxr-xr-x 1 dpchrist dpchrist 1694 Jun 10 08:20 ..
-rwxr--r-x 1 dpchrist dpchrist   45 Jun 10 08:30 hello.sh
-rw-r--rw- 1 dpchrist dpchrist   23 Jun 10 08:39 hello.txt

tinkywinky@tinkywinky:~$ cat /home/dpchrist/foo/hello.sh
echo "hello" >> /home/dpchrist/foo/hello.txt

tinkywinky@tinkywinky:~$ cat /home/dpchrist/foo/hello.txt
initial contents

So, other users:

- Can see the script file system entry.

- Can see the data file file system entry.

- Can see the contents of the script (!).

- Can see the contents of the data file (!).


Continue testing:

tinkywinky@tinkywinky:~$ /bin/sh /home/dpchrist/foo/hello.sh

tinkywinky@tinkywinky:~$ cat /home/dpchrist/foo/hello.txt
initial contents
hello

So:

- Other users can run the script.

- The script can write to the data file.


Continue testing:

tinkywinky@tinkywinky:~$ rm -rf /home/dpchrist/foo
rm: cannot remove '/home/dpchrist/foo/hello.sh': Permission denied
rm: cannot remove '/home/dpchrist/foo/hello.txt': Permission denied

So, other users:

- Cannot delete the script.

- Cannot delete the data file.


Continue testing:

tinkywinky@tinkywinky:~$ echo "blah" > /home/dpchrist/foo/hello.sh
-bash: /home/dpchrist/foo/hello.sh: Permission denied

tinkywinky@tinkywinky:~$ echo "blah" > /home/dpchrist/foo/hello.txt

tinkywinky@tinkywinky:~$ cat /home/dpchrist/foo/hello.txt
blah

So, other users:

- Cannot overwrite the script.

- Can overwrite the data file (!).


Continue testing:

tinkywinky@tinkywinky:~$ vi /home/dpchrist/foo/hello.sh
echo "pwn3d" >> /home/dpchrist/foo/hello.txt
:w
E45: 'readonly' option is set (add ! to override)
:w!
"/home/dpchrist/foo/hello.sh" E212: Can't open file for writing
Press ENTER or type command to continue
:q!

tinkywinky@tinkywinky:~$ vi /home/dpchrist/foo/hello.txt
pwn3d
:w
"/home/dpchrist/foo/hello.txt" 1 line, 6 characters written
:q

So, other users:

- Cannot edit the script.

- Can edit the data file (!).

You have found an interesting combination of mode bits and multi-userbehavior. I can see how that could work in a "friendly" environment,where you are protecting against mistakes rather than protecting againstattacks.



You will want to back up the data file frequently.

It has been many years since I played with the special mode bits. Thisarticle is a decent refresher:


https://linuxconfig.org/how-to-use-special-permissions-the-setuid-setgid-and-sticky-bits

I found another article that describes how to wrap a script with a Cprogram, so that the set UID and set GID bits will work.


https://engineering.purdue.edu/ECN/Support/KB/Docs/HowToSUIDSGIDscripts

If you created a restricted user account just for the app and data,created an executable wrapper, and adjusted the mode bits, I believe youcould prevent users from seeing the contents of the script, seeing thecontents of the database, overwriting the database, and editing thedatabase.



David

Reply to:

References:
- Re: How to set access permissions to protect a database file?
  - From: Markos <markos@c2o.pro.br>

Prev by Date: Re: Dual Boot Two Debian Versions
Next by Date: Re: Dual Boot Two Debian Versions
Previous by thread: Re: How to set access permissions to protect a database file?
Next by thread: Re: How to set access permissions to protect a database file?
Index(es):
- Date
- Thread