ZFS File copy control

Behrang_barekatain

New Member


Messages: 6

Dear
I need a tool in freebsd which can control the file type when a user is copying it to a folder.
For example, I do not want let user1 copy iso files to folder test.
Is there any tool for this?
Regards
 

ralphbsz

Daemon

Reaction score: 1,169
Messages: 1,885

Depends on the exact requirements. For example, rsync has --exclude and --include options. Various other copy programs (tcp, cp, ...) have similar or fewer options. But that requires cooperation from the user performing the copies. You say "do not want to let", which sounds to me like the administrator wants to prevent users from doing certain things; I do not know how to do that.

Theoretically, you could make a restricted account (perhaps in a jail?), and that account doesn't have a normal shell and can't use normal system commands like cp or rsync. This would be an enormous amount of work. It would also not work well, unless you also turn off normal shell access, because it is always possible to copy files with tricks like "cat file.1 > foobar.iso". Even more theoretically you could modify the file system code (perhaps using a fuse file system) so certain file names can't be used at all. There are commercial file systems where this would be easy to implement, using policy-based storage placement: you could set a rule that says "if a new file is named *.iso, then store it in a part of the file system that has no free space at all". But I don't think file systems with policy-based placement are available for FreeBSD (they exist as commercial products, for various Unix and Linux flavors, and for Windows).

You also need to be aware that Unix really doesn't have a "file type". The fact that *.iso files contain ISO images (of CDs or DVDs typically) is just a convention. There is nothing that prevents me from putting an ISO image into a file called foo.bar or important_tax_memo.docx.

Finally, there is no need to write in bold face ... we'll happily read normal text too.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,698
Messages: 30,639

I need a tool in freebsd which can control the file type when a user is copying it to a folder.
For example, I do not want let user1 copy iso files to folder test.
Is there any tool for this?
No. The filesystem and ACLs have absolutely no clue what kind of file you're copying.
 

linux->bsd

Active Member

Reaction score: 63
Messages: 162

Worst case scenario, replace /bin/cp with a shell wrapper that tests the file type and handles the request with if-else logic. In pseudocode:

Code:
for each file listed on the command line minus one (last argument is the target directory)
    test each file's file type
        if current file is of ISO type, skip it and display a message
        else, copy it
 

ralphbsz

Daemon

Reaction score: 1,169
Messages: 1,885

Worst case scenario, replace /bin/cp with a shell wrapper that tests the file type and handles the request with if-else logic. In pseudocode:
Yes, you can do that. And then you need to also do it to all other file utilities. And to piping in the shell, since one can also copy files by using "cat a.foo > b.bar". And to all scripting languages, since I can also copy (or create or read or destroy) a file using perl/python/ruby/rexx/...

Doing this everywhere is an enormous pain, unless one can force the user into a super-simple environment where they can do little harm. At that point, it becomes easier to implement it once, centrally, in the file system. But even that is really hard. To begin with, the POSIX file IO API is really not suited to recognizing the content of the file during writes. And one would need to have a policy input, to know what is legal.

This is a difficult problem, and I don't know a general solution.
 

linux->bsd

Active Member

Reaction score: 63
Messages: 162

This is a difficult problem, and I don't know a general solution.
I can't image a general solution exists to cover the myriad ways a user can create files inside a target directory without the use of /bin/cp. It really depends on what the OP is trying to accomplish as to whether even an ugly solution exists. Replacing /bin/cp with a wrapper is limited in scope to the use of /bin/cp to copy files.
 

linux->bsd

Active Member

Reaction score: 63
Messages: 162

users use Microsoft windows OS, while the file server is freebsd.
Are you using NFS? It might be easier / only option to monitor the destination, scan each existing file, and eject any that match the file type you want to reject. You can run a program that checks your target directory for any changes, then fire off a cron job to scan its contents. But this is a really messy solution.
 
Top