Is it possible to setup directory permissions such that a group is able to read and write files and subdirectories but not delete anything?
1
- I interpret "delete anything" to include prohibiting any modifications to existing files. Is that what you mean? Do your users have direct filesystem access, or are they coming in via NFS, Samba, or some other route (FTP)?jmanning2k– jmanning2k2009-05-15 17:04:55 +00:00Commented May 15, 2009 at 17:04
Add a comment |
3 Answers
It might be enough to set the sticky bit on the directories. Users will be able to delete any files they own, but not those of other users. This may be enough for your use case. On most systems, /tmp is setup this way (/tmp is set 1777)
chmod 1775 /controlled
However, If you want more control, you'll have to enable ACL on the filesystem in question.
In /etc/fstab, append acl to the flags:
/dev/root / ext3 defaults,acl 1 1 You can then use setfacl/getfacl to control and view acl level permissions.
Example: (Create files, once written, they are read only, but CAN be deleted by owner, but not others.)
setfacl --set u::rwxs,g::rwx /controlled setfacl -d --set u::r-x,g::r-x,o::- /controlled You can set a default acl list on a directory that will be used by all files created there.
As others have noted, be careful to specify exactly what you want. You say "write" - but can users overwrite their own files? Can they change existing content, or just append? Once written, it's read only? Perhaps you can specify more detail in the comments.
Lastly, selinux and grsecurity provide even more control, but that's a whole other can of worms. It can be quite involved to setup.
3 Comments
Jonathan Leffler
Do you mean 1777 for /tmp? The 4 indicates the SetUID bit (which only has meaning on a directory in BSD-derived systems, I believe).
Buttle Butkus
I'm getting all kinds of errors running
setfacl --set u::rwxs,g::rwx /controlled (where "/controlled" is the folder to be modified). setfacl -m u::rwx,g::rwx /controlled
Jobst
If the "1775" does not work (as it did not for me) I changed it to "1777" and it worked. This will make sure that everyone can write to the directory but cannot delete (and read) the other users files.
Well, it would be r-x for this directory.
And files in it would have rw-.
This is because a file can be written if its permissions allow Write, but it can only be deleted if its directory's permissions allow Write.
Possible or not, make sure that overwriting with a 0-byte file isn't equivalent to deleting the file in your particular context.
2 Comments
jmanning2k
You can use 'chattr +a' which means "file can only be opened in append mode for writing", meaning you can't rewrite existing content, but you can add new content to the end. This should prevent truncation.
bdonlan
However chattr +a requires root access to set on new files.