As a developer, I’ve created software that falls under the following directory tree:

Launcher
|--- Apps
| |--- Bin
| |--- Src
|--- Images
|--- Scripts
|--- launch.sh

I want to set the permissions of Launcher and its subdirectories such that only I, or someone in my group, can manipulate them. (I know how to do this.)

As an operator, I need to be able to execute launch.sh, and to copy executables from the Bin subdirectory to a local directory for execution. How do I accomplish this while still keeping Launcher and its subdirectories locked down?

I am trying to think the problem out, and basically what I want is for the operator to be able to run a script that he cannot read/modify. This script has the permission necessary to execute lauch.sh, perform the copies (, and set file permission so that operator can use those files). Is this possible?

FYI: Currently this software is setup so that operator is the owner, but I’d really like to separate the developer from the operator (as an operator should never be tinkering with the source code or scripts).

1. if you really mean a script (eg bash, Perl etc) then it must be readable to be executed; ie must have at least r-x somewhere.
You would have to compile a binary (eg using C) to avoid the r perm and have it run only with x perms.

2.
a) you could go with rwxrwxr-x owned by you:you, but that of course means anyone can read/run.

b) You could go with rwxr-x--- owned by you:somegrp & add operator to somegroup, but only you would be able to edit it.

c) Lastly, you could use ACLs eg http://linuxcommando.blogspot.com.au...-lets-you.html http://linux.die.net/man/1/setfacl http://linux.die.net/man/1/getfacl