If user smith's home directory has the following permissions:
$ ls -l /home/staff drwxr-x--- 51 smith staff 4096 Sep 18 09:08 smith/ is it possible, somehow, to prevent him to change his home directory's permission to, for example, to 755?
- Cleared an argument about whether or not this is necessary; feel free to argue about it in chat, but the question is about how to do somethingMichael Mrozek– Michael Mrozek2015-09-28 20:22:46 +00:00Commented Sep 28, 2015 at 20:22
Add a comment |
3 Answers
One way is to use per-user groups (i.e. one group for each user) and then set the home directory permissions to root:smith, mode 0770.
Another (more hacky) way is to script this: Create a script that inspects all home directories (get them via setpwent()/getpwent()) that reside under /home (e.g. not /root) and make it either warn when there's a discrepancy or change the permissions on the spot.
I've done the latter myself in a multi-user environment in the past and worked for years like a charm.
- The script would have to check every second for a change of directory permissions in the /home/staff directory.Fuji San– Fuji San2015-09-28 14:16:10 +00:00Commented Sep 28, 2015 at 14:16
- 3You could probably get inotify to check for changes immediately, although there's still a narrow window before changing it back.pjc50– pjc502015-09-28 14:24:54 +00:00Commented Sep 28, 2015 at 14:24
- 1@FujiSan it all depends on what you are trying to achieve. If you are trying to prevent this from ever happening then even every 1 second is not frequent enough. If you are just trying to protect your users from mistakes/ignorance then once a minute will be more than enough, especially if you accompany this with an educational email.V13– V132015-09-29 09:53:37 +00:00Commented Sep 29, 2015 at 9:53
Your wish is only possible if the OS and the filesystem in question support the ACL standard that is used by NTFS and ZFS and that is standardized by NFSv4.
So whether you are able to do what you like depends on OS and filesystem.
Traditional UNIX rules are that user ownership of a directory also permits access mode changes. With ACLs, you are able to deny the user to change ACLs on his own directory.
- The OS is Linux (Fedora). I guess you are talking about
setfacl. How would you do that?Fuji San– Fuji San2015-09-28 14:17:33 +00:00Commented Sep 28, 2015 at 14:17 - 4"Traditional UNIX rules are that write permissions to a directory also permit access mode changes." - that's not true. You have to own it, not just have write access.Random832– Random8322015-09-28 14:33:54 +00:00Commented Sep 28, 2015 at 14:33
- @Fuji San - No, I am not talking about
setfaclbut about the ACL standard. setfacl was a proposal from Sun and others from 1993 that was withdrawn in 1997 because it did not met the customers wishes. The ACL standard is implemented in NTFS and ZFS and the ACLs may be modified by chmod, see schillix.sourceforge.net/man/man1/chmod.1.htmlschily– schily2015-09-28 14:52:57 +00:00Commented Sep 28, 2015 at 14:52
This reapplies the permissions every 15 seconds:
watch -n15 "chmod 0700 *" Or alternatively create a cronjob to re-apply the permissions every minute or so.
