0

I have a question about security best practice when configuring a device to be used to users, who should be able to use a programme, but not modify the system.

Let's say I have a folder /opt/myapp containing numerous files that my programme reads. To avoid the user learning too much about the internals of my software, I don't want the user to have access to these files (and I note, the software itself doesn't write anything to this directory either).

Assume the folder has owner/group that's different from the user account. Thus: running chmod o-rwx /opt/myapp removes all "Others" permissions, so the user cannot navigate into that directory. Therefore, they won't be able to see the files.

However, I note I could also alternatively execute this command recurisvely, to revoke permissions on all files within the folder too. But since the user can't cd into that directory, is this relevant?

My question is: which is the better solution? Is there any real-world difference or best practice here?

Dave M
  • 4,514
  • 22
  • 31
  • 30
SLhark
  • 1
  • A running program generally has the same permissions as the user running it. That means that if the users will be running this program (under their own user IDs), and *it* needs access to the files, then *they* need access to them too. – Gordon Davisson Apr 09 '20 at 20:51
  • Thanks, but what if the programme is running as another user (i.e. the user only interacts with it but they aren't running it). – SLhark Apr 14 '20 at 10:52

0 Answers0