Thread: Evaluate a command string for access control

  1. #1
    Registered User
    Join Date
    Jul 2010
    Posts
    6

    Evaluate a command string for access control

    Hi,
    I need some help!

    I will make this feature:
    - given a directory name, a "client" can access only in this directory and all the subdirectory in it.

    ES:
    directory name: /home/tmp
    The client can access to /home/tmp and all its subdirectory but not in /home or any other directory in the filesystem.

    I will make this with C or LINUX shell commands.

    NOTE: if the command is ls home/tmp/../../../tmp.txt the client can't access to this directory so a good evaluation of the command string given has to be performed.

    I think to evaluate the string given to me expand the path (removing .. or . or symbolic link) and see if it match with the directory name given.

    How can I do this? There are another method to do this?

    Thanks for all.

  2. #2
    &TH of undefined behavior Fordy's Avatar
    Join Date
    Aug 2001
    Posts
    5,793
    Cant you just use chroot?

    chroot - Wikipedia, the free encyclopedia

  3. #3
    Registered User
    Join Date
    Jul 2010
    Posts
    6
    Thanks,
    this can be a solution.

    But I prefer a more flexible command for this reason:
    - I can have a download and upload directory that aren't a subdirectory of a parent directory.

    So, I can have access to /home/download and /home/upload directory for the command of upload and download of the client.

    Thanks.

  4. #4
    and the hat of int overfl Salem's Avatar
    Join Date
    Aug 2001
    Location
    The edge of the known universe
    Posts
    39,660
    > The client can access to /home/tmp and all its subdirectory but not in /home or any other directory in the filesystem.
    ...
    > So, I can have access to /home/download and /home/upload directory

    OK, so do you or do you NOT allow roaming around in /home?

    The more elaborate your "security" model becomes, the more likely someone is to spot a hole in it.
    If you dance barefoot on the broken glass of undefined behaviour, you've got to expect the occasional cut.
    If at first you don't succeed, try writing your phone number on the exam paper.

  5. #5
    Registered User
    Join Date
    Jul 2010
    Posts
    6
    OK, so do you or do you NOT allow roaming around in /home?
    I can only access to /home/download and /home/upload and the subdirectory of these. I can't access to any other directory in the filesystem.

    In idea is to expand the path received from the client resolving all links and other "tricks" for example:

    string from client: /../../mnt/tmp
    string to evaluate: /home/upload/../../mnt/tmp
    evaluated string: /mnt/tmp
    DENY ACCESS because this directory isn't in /home/upload.

    I need a command that expand a given path resolving all link and . or .. for evaluate the final string.

    Thanks.

  6. #6
    Frequently Quite Prolix dwks's Avatar
    Join Date
    Apr 2005
    Location
    Canada
    Posts
    8,057
    You could probably use find or ls to resolve symlinks for you and remove . and .. to turn your path into a full path name. But if you do the checking yourself there's always a chance you'll get it wrong.

    If you wanted to implement this at the operating-system level you could use access control lists. But be forewarned that it becomes *extremely* complicated very fast and you end up spending a lot of time on it. Plus it's very easy to make mistakes.

    But if you really want to: Using ACLs with Fedora Core 2
    dwk

    Seek and ye shall find. quaere et invenies.

    "Simplicity does not precede complexity, but follows it." -- Alan Perlis
    "Testing can only prove the presence of bugs, not their absence." -- Edsger Dijkstra
    "The only real mistake is the one from which we learn nothing." -- John Powell


    Other boards: DaniWeb, TPS
    Unofficial Wiki FAQ: cpwiki.sf.net

    My website: http://dwks.theprogrammingsite.com/
    Projects: codeform, xuni, atlantis, nort, etc.

Popular pages Recent additions subscribe to a feed

Similar Threads

  1. I don't understand this.
    By neveslave in forum C Programming
    Replies: 21
    Last Post: 05-14-2010, 06:20 PM
  2. (Multiline) Edit Control Limit
    By P4R4N01D in forum Windows Programming
    Replies: 9
    Last Post: 05-17-2008, 11:56 AM
  3. Button handler
    By Nephiroth in forum Windows Programming
    Replies: 8
    Last Post: 03-12-2006, 06:23 AM
  4. very weird .h problem
    By royuco77 in forum C++ Programming
    Replies: 1
    Last Post: 09-11-2005, 07:55 AM
  5. Tab Controls - API
    By -KEN- in forum Windows Programming
    Replies: 7
    Last Post: 06-02-2002, 09:44 AM