I am using slurm to train models. Now, I need to share the computing resources with my groupmates, but I have some confidential data stored in the slurm. Therefore, I wish to add a password to a certain folder. But I don't have the root permission so it's difficult for me to use apps like Cryptkeeper and so on to easily manage the folder password.
So, is there any way that I can add password to my folders on the slurm system without the root permission and GUI? Thanks a lot!
Related
experts, i am using a Linux server where the same username and password are used by other persons to login and perform their work. Some time they delete and misplace my scripts from that server.So in order to overcome this problem i want to know are there any procedure so that other users of same id cannot see and access my scripts.I hope experts will help me in this regard.
i am using `ssh` command to login
i am also trying to hide the script but not successfully done it.
Unix systems are not designed to protect against unwanted or malicious accesses from the same user. If all of the people on the machine are using the same user account, then to a Linux or Unix system, they are the same user, and each and every human has the same privileges to act on that file.
If you want to have different access control permissions for different humans, then they need to have different accounts. This is the basis of security permissions for Unix systems. This is also why many daemons run as their own unprivileged user: so that if one process gets compromised, it is unable to negatively affect other things on the system.
I plan to create a web interface to configure a part of my system, including some files owned by root. I will be a NodeJS server and I know that running it as root is not a good idea.
Any suggestions about how to perform that without performance and security issues?
Thank you.
I decided to create a specific script that will be owned by root with high restricted rights and allow a sudo on that script for a dedicated user without password so that could not log in (only root can do a su on it).
In the script i will perform wanted action (updte, upgrade, files copy, etc.)
Let's hope that scurity is good enought
I want to automate testing of my users' source code files by letting them upload c++,python, lisp, scala, etc. files to my linux machine where a service will find them in a folder and then compile/run them to verify that they are correct. This server contains no important information about any of my users, so there's no database or anything for someone to hack. But I'm no security expert so I'm still worried about a user somehow finding a way to run arbitrary commands with root privileges (basically I don't have any idea what sorts of things can go wrong). Is there a safe way to do this?
They will. If you give someone the power to compile, it is very hard not to escalate to root. You say that server is not important to you, but what if someone sends you an email from that server, or alters some script, to obtain some info on your home machine or another server you use?
At least you need to strongly separate you from them. I would suggest linux containers, https://linuxcontainers.org/ they are trendy these days. But be careful, this is the kind of service that is always dangerous, no matter how much you protect yourself.
Read more about chroot command in Linux.
This way you can provide every running user program with separate isolated container.
You should under no circumstances allow a user to run code on your server with root privileges. A user could then just run rm –rf / and it would delete everything on your server.
I suggest you make a new local user / group that has very limited permissions, e.g. can only access one folder. So when you run the code on your server, you run it in that folder, and the user can not access anything else. After the code has finished you delete the content of the folder. You should also test this vigorously to check that they really cant destroy / manipulate anything.
If you're running on FreeBSD you could also look at Jails, which is sort-of a way of virtualization and limiting a user / program to that sandbox.
I want to encrypt a folder by encfs or ecryptfs in linux. I can do it, but i want just specific process can access to it and decryption accrues automatically for that process.
No key to encryption needed by process.
Can any help me?
File systems are made exactly for the idea to allow access for more than one process. To want to restrict this access now to only one process is somewhat the opposite of this idea, so it won't be smooth, however you solve your task.
A much more straight-forward way if you want just one process have access would be to not use a file system but a database or just the contents of a single file. This way it would be easy to restrict the access to exactly one process.
If you want to stick to the encfs (or similar) you could let the process run as a specific user which should be the only user to have read and execute permissions on the mounted file system's root.
I have user:nobody and group:nogroup set for apache in httpd.conf.
Since I also use my own user to manage files on ssh through Samba, I would like to have access to the www folder for read/write, and also allow apache to read these files.
Some folders should have apache's write permissions.
Should I leave apache as nobody|nogroup?
I was thinking I should set my own user under a group called say "webadmins" and set apache a new user called say "apache" under the same group. Then allow the group to read from all files, but only my user will have write files. Whenever apache would need a write permission inside a folder, I would manually change that. Is this a fair enough approach or am I missing something?
Thanks!
usually any daemon will need to access a number of ressources.
it is therefore good practice to run each daemon under a special user:group, rather than nobody:nogroup.
traditionally (e.g. on Debian systems) apache runs as www-data:www-data.
finally, user permissions take precedence over group permissions (which in turn take precedence over other permissions).
this means that a directory where the user does not have write perms but the user's group can write is effectively r/o for that user (but not for other members of the group)