Reputation: 707
Limiting access to a file based on process group
I have a hypothetical question. Say I have a file which I only want certain processes to be able to read and modify. How would I go about implementing this?
Currently after some thought the best methodology seems to be based on limiting access to process groups. Much like in *nix how one can change the permissions of a file to give rwx access to a users in a certain group is it possible to only give rwx access permissions for a file to processes that belong in a certain process group? Is my approach here valid or is there a much easier way to go about doing this?
Upvotes: 2
Views: 1245
Answers (4)
Reputation:
You cannot do it quite like this, but you can achieve this effect with these steps:
First create a new group, make it the owner of the files and set the permissions to exclude access outside the group.
Then make this group the owner of your executable and set its setgid bit.
When run, the executable (and its child processes) will have the id of the group and therefore have access to the files.
See CHMOD(1) for details.
This setup is typically used to give games exclusive access to a score files to prevent external tampering. Look in your /usr/games you might find some examples of setgid executables.
Upvotes: 1
Reputation: 41017
If I understood right you want to lock file for write depending of process group, in this case you can combine fcntl and gpgrp
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <unistd.h>
#define ALLOWED_GROUP 500
int main(int argc, char *argv[])
{
struct flock fl = {F_WRLCK, SEEK_SET, 0, 0, 0};
int fd;
fl.l_pid = getpid();
if (argc > 1 || getpgrp() != ALLOWED_GROUP)
fl.l_type = F_RDLCK;
if ((fd = open("demo.c", O_RDWR)) == -1) {
perror("open");
exit(1);
}
printf("Press <RETURN> to try to get lock: ");
getchar();
printf("Trying to get lock...");
if (fcntl(fd, F_SETLKW, &fl) == -1) {
perror("fcntl");
exit(1);
}
printf("got lock\n");
printf("Press <RETURN> to release lock: ");
getchar();
fl.l_type = F_UNLCK;
if (fcntl(fd, F_SETLK, &fl) == -1) {
perror("fcntl");
exit(1);
}
printf("Unlocked.\n");
close(fd);
return 0;
}
Upvotes: 1
Reputation: 1
You could also be interested by access control lists
Personally, I never used them because I don't need such fine control on access
Upvotes: 1
Reputation: 4524
File permissions exist on the three levels you talk about. Owner -> Owner Group -> All. When a process runs however, it runs under permissions of a certain user (the user that started it) and inherits the permissions. I would assume then that you would want to create a unique user group, run the processes under that permission and limit the file's access to that group only.
Would there be limitations as to why you could not use a method like this?
Upvotes: 2
Related Questions
- Restrict user access to JUST ONE specific file and nothing else
- Limit access to a pipe to a process (Windows)
- Allow some processes to read and write a directory and deny rest of all processes
- Unique Process Permissions Linux
- File permissions for a process in C
- Setting permissions based on the program trying to access a kernel module
- Linux: check if process has read access to file in C/C++
- How to restrict write access to a Linux directory by process attributes?
- Changing file permissions in kernel
- Linux device node accessible to only certain process groups