Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
OK - So I am trying to understand how to use the "chmod" command.
I created a text file in /home/peostri/readme.txt
I am trying to understand how to have this text file listed so that anyone who can access the peostri home directory can read this but can't delete this file (expect root).
I am trying to understand how to have this text file listed so that anyone who can access the peostri home directory can read this but can't delete this file (expect root).
Your ls output indicates that is exactly what you have for readme.txt.
Then why when I create the file as root, can I then login as a regular user (peostri) and delete the file from that directory. I thought the user would only be able to read the file and should get permission denied when trying to delete the file.
Code:
stricom:~# cd /home/peostri/
stricom:/home/peostri# nano readme.txt
stricom:/home/peostri# su peostri
peostri@stricom:~$ cd /home/peostri/
peostri@stricom:~$ ls
chris derek jeff readme.txt tim
peostri@stricom:~$ rm readme.txt
rm: remove write-protected regular file `readme.txt'? y
peostri@stricom:~$ ls
chris derek jeff tim
When I create the file as root in the /home/peostri directory. I then from a completely different PC and network login to FTP as the PEOSTRI user and see the "readme.txt" and just delete it with no questions asked. Something is wrong here and I don't know what.
In general: The owner of a directory can remove that directory, including any file/subdir, even if he/she is not the owner. And, as you found out, can also do this with a specific file. Unix takes another approach.
You could use chattr to make the file(s) immutable, which makes it 'impossible' to tamper with that file (no changing/deleting etc). It also makes it harder for root to remove the file (you can't without unsetting the immutable flag).
The above can be an option as long as the files don't change (too often), this because changing the file is also not permitted as long as the immutable flag is set.
How to do this?
$ id
uid=0(root) gid=0(root) groups=0(root)
$ ls -l readme.txt
-rw-r--r-- 1 root root 2 Oct 18 18:02 readme.txt
$ lsattr readme.txt
------------- readme.txt
$ chattr +i readme.txt
$ lsattr readme.txt
----i-------- readme.txt
$ rm readme.txt
rm: remove write-protected regular file `readme.txt'? y
rm: cannot remove `readme.txt': Operation not permitted
$ ls -l readme.txt
-rw-r--r-- 1 root root 2 Oct 18 18:02 readme.txt
see man chattr and man lsattr for details.
Hope this helps.
[edit]
chattr -i readme.txt => to change it back to 'normal'
[/edit]
Make sure no users but root have write access to that directory if you want to prevent users other than root from deleting files that don't have global write. For instance, if you want people to be able to see what's in the directory but not able to delete a file that's chmoded to something like 644, you should make the directory 755.
As long as a user has write access to a directory, he/she can delete anything in it -- for the same reason he/she can delete the directory itself.
stricom:/# cd /home/peostri/
stricom:/home/peostri# nano readme.txt
stricom:/home/peostri# ls
chris derek jeff readme.txt tim
stricom:/home/peostri# su peostri
peostri@stricom:~$ uid
bash: uid: command not found
peostri@stricom:~$ id
uid=1002(peostri) gid=1002(peostri) groups=1002(peostri)
peostri@stricom:~$ lsattr readme.txt
----------------- readme.txt
peostri@stricom:~$ chattr +i readme.txt
chattr: Permission denied while setting flags on readme.txt
I don't mind other users writing to the /home/peostri. This is a generic ftp login where users dump files to but I don't want them to be able to remove/delete the "readme.txt"
I misunderstood; ofcourse, peostri has write access to his own home directory. But nobody but him and root will be able to remove that readme.txt file. If you don't want peostri to be able to remove the file, do what druuna says or, more simply, don't put the file in his home directory. Make a new directory, /public:
# mkdir /public
# chmod 755 /public
and put the stuff you want publically available read only there.
That way, other users can still dump files in the peostri directory, but the readme.txt file is protected from removal in a directory that doesn't have global write access.
There are some limitations to the basic permissions system in unix/Linux filesystems. If you want more fine-grained control, you may have to implement something like SELinux.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
