make file available selectively
I have an X application server that serves thin clients in several
locations. I'm trying to make it so that certain programs can only be
run from certain thin clients. I've already built a system that
determines if the client this X display is connected to is allowed to
run a given program. I just need a way to keep users on unauthorized
workstations from running the program or copying it and running the
copy. The same user can be logged in from unauthorized and authorized
clients simultaneously, so programs must be controlled on the session
level. I have a problem with how I want to do this:
My first idea: Create a user called 'controller' make all controlled
applications owned by this user. Set the program's permissions to
only allow controller to run/read the application file. If a client
is granted access to this file the control daemon runs this file for
the user. The problem is I DON'T want the program run as the
'controller' user; I want it run as the requesting user. Is there a
way for the user 'controller' to execute the program (it is the only
user has permissions) but the program actually run as the requesting
(non-priveledged) user? I don't want to modify the source and I don't
want to do any-- add user to group controller, run program and remove
user from controller really fast...
Second idea: Give all users execute permissions, but encrypt the file.
Upon authorization, the daemon unencrypts and 'su USERNAME [the
program].' Problem here is were/how to run the unencrypted program
without it being available to potentially the same user on an
unauthorized client.
Thanks for any help,
-DC
