Isolating read access to only to one file only by another

[pcmanjon]

I'd like to be able to set up a server application that can only READ a certain file. Say a user owns a file called "server", I don't want the user to be able to gain access to the file "huh" but I wan't the server (which is under that persons username) to be able to access it.

Is this possible? And most importantly which way would I do this?

Regards,

[sarumont]

So basically you have an executable called server owned by user. You don't want user to be able to access the file called huh, but you want server to be able to access it when it's run?

The only way I can think of doing this is to make server run as root.

[kkubasik]

not if the server is running under that user, you need to make a separate user and group for the server to run under. Then give only that user/goupr permisssons to the file. waht server are you trying to di this with?

[pcmanjon]

not if the server is running under that user, you need to make a separate user and group for the server to run under. Then give only that user/goupr permisssons to the file. waht server are you trying to di this with?

Well... we run a hosting service for a visual chat program called ThePalace (www.thepalace.com for info)

It has a linux server binary and it is capable of running plugins. The plugins have the ability to change the way the server works a whole lot (server has its own api)

We made a plugin in C for the server that we provide for free (as a benifit) to our customers but want to sell to other 'hosting' providers.

Currently what our 'plugin' does is verify by mac address which is HARD CODED in to the plugins binary (to prevent piracy by insiders who may leak it to another provider), however we'd like to be even extra-secure by making it so someone can't even get ahold of the plugin itself in the first place.

We've discovered a competiting hosting provider has taken one of our plugins and tried to bypass the MAC verification scheme... to prevent others from getting the plugin and doing the same type of attempts we figured it'd be safest to limit access to the plugin by the servers binary itself.

That way users can START/STOP the server under their OWN name, however people won't be able to grab the plugin we wish to make some profit off of.

The best way to do such a thing would be to make it so
* SERVER file can open file located in /home/plugins/blah.so
* User who executed SERVER cannot.

Which would basically mean giving a file (and just a single file) access to a group and then making /home/plugins.so part of that same group. Then giving the group read privilages.

Would that not basically make it so SERVER can read plugin.so (and thus put it in to its memory) but make it so users cannot read the plugin.so file (and therefore not stealing plugins)?

Thats what I'm looking at here and was wondering if it'd be possible in such a way, or if it'd be possible in another way without having to have ths source code to the server itself (since the server was not an open source product)

[pcmanjon]

Another solution to people pirating the plugins to the server software we've made would be to add extra protection than just MAC (since MAC addresses we've found can be spoofed by passing certain ifconfig flags)

However, we're not sure on where to get pre-made classes or parts of programs that can get a hardware serial or another unique ID number that never changes and is very hard to spoof.

So... thats our reason for keeping 'stealing' the binary as hard as we can make it.. rather than adding more security features.... is lack of code examples.