Only execute bit - no copy

Ole Jacob Taraldset · Ole Jacob Taraldset

Hi,

I have a program installed on an nfs server. This program has ---x--x---
(execute for user & group) set, and no read or write. The idea was to be
able to execute the program, but not allow it to be copied.

Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
on Linux I can still copy the program. If the program is located on a local
disk I cannot copy it on Linux.

Is there a way around this? As far as I understand when executing a program
on an nfs server the server must allo the client to read the file. It
doesn't know for what purpose, this is left to the client to decide.

Can I mount my Linux clients with some options that will prevent a user from
copying the program? Somthing else that can be done?

Thanks for any help!

Regards,
Ole Jacob

--
PGP key : <http://home.broadpark.no/~ojtarald/pgp.txt>
ICQ 5366306 | Jabber [email]ojt@jabber.org[/email] | AIM ojtaraldset
Yahoo ojtaraldset | MSN [email]ojt@gexcon.com[/email]

Igmar Palsenberg · Igmar Palsenberg

Ole Jacob Taraldset wrote:

> I have a program installed on an nfs server. This program has ---x--x---
> (execute for user & group) set, and no read or write. The idea was to be
> able to execute the program, but not allow it to be copied.
>
> Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
> on Linux I can still copy the program. If the program is located on a local
> disk I cannot copy it on Linux.

Which kernel version, and which implementation ?

[igmar@wrkst igmar]$ mount
<snip>
guru:/home/igmar on /mnt/igmar type
nfs(rw,rsize=8192,wsize=8192,addr=10.1.1.2)

[igmar@wrkst igmar]$ ls -l /mnt/igmar/x
---x--x--x 1 1000 root 12074 May 25 23:01 /mnt/igmar/x
[igmar@wrkst igmar]$ cp /mnt/igmar/x ~
cp: cannot open `/mnt/igmar/x' for reading: Permission denied

Igmar

Barry Margolin · Barry Margolin

In article <40ee8b37$0$21106$e4fe514c@news.xs4all.nl>,
Igmar Palsenberg <igmar@non-existant.local> wrote:

> Ole Jacob Taraldset wrote:
>

> > I have a program installed on an nfs server. This program has ---x--x---
> > (execute for user & group) set, and no read or write. The idea was to be
> > able to execute the program, but not allow it to be copied.
> >
> > Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
> > on Linux I can still copy the program. If the program is located on a local
> > disk I cannot copy it on Linux.

>
> Which kernel version, and which implementation ?
>
> [igmar@wrkst igmar]$ mount
> <snip>
> guru:/home/igmar on /mnt/igmar type
> nfs(rw,rsize=8192,wsize=8192,addr=10.1.1.2)
>
> [igmar@wrkst igmar]$ ls -l /mnt/igmar/x
> ---x--x--x 1 1000 root 12074 May 25 23:01 /mnt/igmar/x
> [igmar@wrkst igmar]$ cp /mnt/igmar/x ~
> cp: cannot open `/mnt/igmar/x' for reading: Permission denied

Note that this "protection" is necessarily dependent on the client doing
the right thing. The server can't possibly enforce execute-only
permission, because all it does is send the data to the client. It
can't tell whether the client is reading the file for the purpose of
executing it or copying it. So the NFS server has to treat execute
permission as equivalent to read permission.

--
Barry Margolin, [email]barmar@alum.mit.edu[/email]
Arlington, MA
*** PLEASE post questions in newsgroups, not directly to me ***

Casper H.S. Dik · Casper H.S. Dik

Ole Jacob Taraldset <ojt@spam-spam-egg-and-spam-gexcon.com> writes:

>I have a program installed on an nfs server. This program has ---x--x---
>(execute for user & group) set, and no read or write. The idea was to be
>able to execute the program, but not allow it to be copied.

>Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
>on Linux I can still copy the program. If the program is located on a local
>disk I cannot copy it on Linux.

Fix the Linux kernel; NFS servers cannot make a distinction between read
and execute access; there's no "read for execute" and the local system
must copy the program to memory.

That's why proper NFS clients will also verify the permissions
locally (in the case of NFSv2) or on the server (using NFS_ACCESS
for NFSv3 and later)

>Is there a way around this? As far as I understand when executing a program
>on an nfs server the server must allo the client to read the file. It
>doesn't know for what purpose, this is left to the client to decide.

>Can I mount my Linux clients with some options that will prevent a user from
>copying the program? Somthing else that can be done?

Fix the source code of your Linux clients. They are broken.

Casper
--
Expressed in this posting are my opinions. They are in no way related
to opinions held by my employer, Sun Microsystems.
Statements on Sun products included here are not gospel and may
be fiction rather than truth.

Doug Freyburger · Doug Freyburger

Barry Margolin wrote:

> Igmar Palsenberg wrote:

> > Ole Jacob Taraldset wrote:

>

> > > I have a program installed on an nfs server. This program has ---x--x---
> > > (execute for user & group) set, and no read or write. The idea was to be
> > > able to execute the program, but not allow it to be copied.
> > >
> > > Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
> > > on Linux I can still copy the program. If the program is located on a local
> > > disk I cannot copy it on Linux.

>

> > Which kernel version, and which implementation ?

>
> Note that this "protection" is necessarily dependent on the client doing
> the right thing. The server can't possibly enforce execute-only
> permission, because all it does is send the data to the client. It
> can't tell whether the client is reading the file for the purpose of
> executing it or copying it. So the NFS server has to treat execute
> permission as equivalent to read permission.

That's because NFS asks for a file handle and then asks for blocks in
the file. There's no distinction between an exec*() call loading a
binary and an fread() call loading the data.

But to make it more fun, directories don't have to have that problem
depending on the exact NFS implementation. NFS does has file status
and directory scan commands so it isn't restricted to opening a
file (directory or otherwise) and then reading blocks (and handling
directory blocks some specific way).

Because NFS can layer on top of various filesystems, it can't just
deliver directories as blocks of data and hope the client can
handle it because it has to present directories in a unified way.

phn@icke-reklam.ipsec.nu · phn@icke-reklam.ipsec.nu

Ole Jacob Taraldset <ojt@spam-spam-egg-and-spam-gexcon.com> wrote:

> Hi,

> I have a program installed on an nfs server. This program has ---x--x---
> (execute for user & group) set, and no read or write. The idea was to be
> able to execute the program, but not allow it to be copied.

> Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
> on Linux I can still copy the program. If the program is located on a local
> disk I cannot copy it on Linux.

> Is there a way around this? As far as I understand when executing a program
> on an nfs server the server must allo the client to read the file. It
> doesn't know for what purpose, this is left to the client to decide.

No, there is no way around. both read and execute means "read" for an nfs server.

> Can I mount my Linux clients with some options that will prevent a user from
> copying the program? Somthing else that can be done?

> Thanks for any help!

> Regards,
> Ole Jacob

> --
> PGP key : <http://home.broadpark.no/~ojtarald/pgp.txt>
> ICQ 5366306 | Jabber [email]ojt@jabber.org[/email] | AIM ojtaraldset
> Yahoo ojtaraldset | MSN [email]ojt@gexcon.com[/email]

--
Peter Håkanson
IPSec Sverige ( At Gothenburg Riverside )
Sorry about my e-mail address, but i'm trying to keep spam out,
remove "icke-reklam" if you feel for mailing me. Thanx.

Juha Laiho · Juha Laiho

Casper H.S. Dik <Casper.Dik@Sun.COM> said:

>Ole Jacob Taraldset <ojt@spam-spam-egg-and-spam-gexcon.com> writes:
>

>>I have a program installed on an nfs server. This program has ---x--x---
>>(execute for user & group) set, and no read or write. The idea was to be
>>able to execute the program, but not allow it to be copied.

>

>>Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
>>on Linux I can still copy the program. If the program is located on a local
>>disk I cannot copy it on Linux.

>
>Fix the Linux kernel; NFS servers cannot make a distinction between read
>and execute access; there's no "read for execute" and the local system
>must copy the program to memory.
>
>That's why proper NFS clients will also verify the permissions
>locally (in the case of NFSv2) or on the server (using NFS_ACCESS
>for NFSv3 and later)

....

>Fix the source code of your Linux clients. They are broken.

Technically, yes -- but in this case the fault happens to be exposing
a weakness inherent in NFS, which could be considered a good thing. Even
if the NFS client code was fixed, it'd still be possible to intercept
the data traffic (ok, would require root privs on the client, or
unrestricted access to the network somewhere in the vicinity of the
client or the server). Of course, there are other security considerations
in providing root privs/unrestricted network access to anyone in
a network containing an NFS server with material not intended to be
publicly readable.
--
Wolf a.k.a. Juha Laiho Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)

Ole Jacob Taraldset · Ole Jacob Taraldset

Casper H.S. Dik wrote:

> Ole Jacob Taraldset <ojt@spam-spam-egg-and-spam-gexcon.com> writes:
>

>>I have a program installed on an nfs server. This program has ---x--x---
>>(execute for user & group) set, and no read or write. The idea was to be
>>able to execute the program, but not allow it to be copied.

>

>>Now this works as intended on our sun solaris, HP-UX and IRIX systems, but
>>on Linux I can still copy the program. If the program is located on a
>>local disk I cannot copy it on Linux.

>
> Fix the Linux kernel; NFS servers cannot make a distinction between read
> and execute access; there's no "read for execute" and the local system
> must copy the program to memory.
>
> That's why proper NFS clients will also verify the permissions
> locally (in the case of NFSv2) or on the server (using NFS_ACCESS
> for NFSv3 and later)

We are using a mix of RedHat 7.3 and 9, and Fedora Core 2 boxes. All behave
the same way with standard Linux kernels. So what do we do then? I guess
RedHat and Fedora both use a more or less standard kernel.

-Ole Jacob

>

>>Is there a way around this? As far as I understand when executing a
>>program on an nfs server the server must allo the client to read the file.
>>It doesn't know for what purpose, this is left to the client to decide.

>

>>Can I mount my Linux clients with some options that will prevent a user
>>from copying the program? Somthing else that can be done?

>
> Fix the source code of your Linux clients. They are broken.
>
> Casper

--
PGP key : <http://home.broadpark.no/~ojtarald/pgp.txt>
ICQ 5366306 | Jabber [email]ojt@jabber.org[/email] | AIM ojtaraldset
Yahoo ojtaraldset | MSN [email]ojt@gexcon.com[/email]

Only execute bit - no copy

Thread Tools

Display

Only execute bit - no copy

Similar Questions and Discussions

MX7 can't execute MAX()

ibm flash copy, hp business copy

[PHP] cannot execute?

cdrecord copy destroyed another windows copy !!!

cdrecord copy destroyed another windows NERO copy for re-writable media

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Re: Only execute bit - no copy

Posting Permissions