Ask Your Question
0

Protect folder from modification during timeperiod

asked 2013-10-03 11:51:51 -0500

ZenDark gravatar image

I have a Fedora server with a folder, that contains one application (code, logs, output files...) that is executed by the user "runner".

I want to protect that folder so that the users from the "developers" group won't be able to modify anything inside that folder, outside certain hours.

The permission in that folder is set that the owner and the group have write access:

drwxrwxr-x. runner developers /application

The tricky conditions:

  • developer users must have access to the server anytime, and read access inside /application

  • developer users must have write permissions during fixed periods, to put new code into production

  • runner user always must have write permission

  • changing the permissions folder each time, should not be an option

What would be the best approach?

edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted
1

answered 2013-10-03 14:52:26 -0500

Here's an overview of an idea; I can give some examples if needed but the actual implementation will depend on your specific use case.

First, you should have both a production environment and a development for your devs to work in.

Create a git repo in /application on the production environment. Configure so that git push production master will push to the production environment.

Set up the staging environment so that git push staging $branchname will push changes in the designated branch to staging.

Developers would create a new branch for a given task and commit each change with a message so other developers can follow along. Branches can be shared for peer review, merged to master when ready, and pushed to staging for testing.

Changes can be pushed into production by anyone with access - this and scheduling are a social problem that a technical solution might not be best for. You might opt to give only the team lead and an alternate write access to the actual production server, since everyone else can collaborate without touching it.

Besides code sharing and logs, you also can easily revert changes if something goes wrong. It might seem like overkill at first, but good version control system habits are worth the effort.

edit flag offensive delete link more

Comments

This approach could work. I should remove completly the write permission for developer group, and program the "git pull production". Developers already work with control version and the could deploy changes automatically from a production branch.

ZenDark gravatar imageZenDark ( 2013-10-04 12:55:14 -0500 )edit
0

answered 2013-10-03 12:08:17 -0500

There's a lot of ways you can accomplished this, one very rudimentar is to use cron with 2 entries, one to give access to users on developers group at a certain time, and other entry to remove access, for example, let's say access is given everyday at 09:00 and removed at 18:00.

#crontab -e

> 00 09 * * * /home/runner/give_access.sh
> 00 18 * * * /home/runner/remove_access.sh

The files would be something like:

give_access.sh

chmod -R g+w /application

remove_access.sh

chmod -R g-w /application

Of course files would have to be executable by user runner, with a simple:

chmod +x give_access.sh

chmod +x remove_access.sh
edit flag offensive delete link more

Comments

That's the obvious solution, but as stated in the question: "changing the permissions folder each time, should not be an option"

ZenDark gravatar imageZenDark ( 2013-10-04 12:46:47 -0500 )edit

Question Tools

Stats

Asked: 2013-10-03 11:51:51 -0500

Seen: 140 times

Last updated: Oct 03 '13