LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-17-2007, 11:56 AM   #1
TruthSeeker
LQ Newbie
 
Registered: Oct 2005
Location: Cartaxo, Portugal
Distribution: Red Hat Enterprise 4 Mostly
Posts: 25

Rep: Reputation: 15
Unhappy permissions security question


Does linux/unix have any way to distinct between write and alter permissions in it's filesystem?

I've read a bit about Standard Unix permissions and Unixes ACLs etc.

But no article clearly answers to my question. ( That or i can't undestand it right :s )
Can i permit a user / group / wtv to write new files in a folder, but never to alter already saved files in that folder?

If i put 700 in folder and 500 in file rm command only asks for confirmartion while deleting the file, but if i click 'y' or give -f it still deletes.

The thing is i wanna give apache (nobody/others) write access for new files in a folder (uploads),
but don't want other apache cgi processes existent in my server to be able to delete those files...

SUexec provides a workaround, but it is still a bit "fake" and has it's own problems.
Besides with cpanel i'd probably had to install fastCGI too and recompile php and it hurts :s

Any ideas or workarounds?
Thanx

Last edited by TruthSeeker; 01-17-2007 at 11:59 AM.
 
Old 01-17-2007, 12:18 PM   #2
pixellany
LQ Veteran
 
Registered: Nov 2005
Location: Annapolis, MD
Distribution: Arch/XFCE
Posts: 17,802

Rep: Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738Reputation: 738
If you have write permission on a directory, then you can add new files. For the existing files, just don't give out write permission. Suppose you have a directory "stuff" and you want the user "fred" to be able to put in files, but not change the existing ones.

Create a group "stuff" and make it the owner of the directory "stuff"
Add fred to the group stuff
set permissions so that group members can read and write
chmod 775 stuff (Gives read/write/execute to root and group, and read/execute to others)
In the stuff directory, set all permissions to read-only for group and others
 
Old 01-17-2007, 12:22 PM   #3
jschiwal
LQ Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670Reputation: 670
You can use the sticky bit on the folder to protect other users files from being deleted. This is because the directory is, as far as the kernel is concerned, a file and write access gives a user the ability to delete any file (writing to the directory). The sticky bit on the directory will prevent this possibility. The file itself will need to be readonly for the other users to protect the file itself from overwriting.

ACLs in linux are useful in giving only certain users or groups permissions without needing to give others write permissions.

Last edited by jschiwal; 01-17-2007 at 12:23 PM.
 
Old 01-17-2007, 12:25 PM   #4
sycamorex
LQ Veteran
 
Registered: Nov 2005
Location: London
Distribution: Slackware64-current
Posts: 5,819
Blog Entries: 1

Rep: Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200Reputation: 1200
oops, other people type/think faster


Hi

Quote:
Can i permit a user / group / wtv to write new files in a folder, but never to alter already saved files in that folder?
I'm not sure if that's what you want, but it seems to me that
you could give write permission to the parent directory where all the files are (so that users could create new files), however
remove the file permissions for the files in the directory (so that users could not modify existing files +

1. [root] chmod a+wx name_of_the_directory
2. [root] chmod u+wx *
3. [root] chmod go-wx *

points 2 and 3 can be done with one command: e.g chmod 644 *

I'm not sure if it would work like that, you can wait for the
feedback of more experienced linux users

HTH

Sycamorex

Last edited by sycamorex; 01-17-2007 at 12:27 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
security-access permissions kumary Linux - Newbie 7 12-03-2005 02:40 PM
XFce Security/Permissions issue HenchmenResourc Linux - Software 1 02-02-2005 11:03 PM
Samba permissions - security = domain, help!!! Gustavo Gomes Linux - Networking 0 10-28-2003 07:28 AM
security opinion-program permissions Robert0380 Linux - Security 1 06-30-2003 07:43 AM
Security and Permissions Questions gauge73 Linux - Newbie 3 03-25-2003 11:15 PM


All times are GMT -5. The time now is 08:38 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration