Help on Linux File Permissions

kool_kid · 03-09-2008, 12:17 AM

Hi

I want my users to have Read/Write/Execute Permission on a folder but there should not be able to delete any file from the folder which is created by them or any other user on the Domain. So this rules out sticky bit any other method to accomplish this?

I know about File acl's on Linux but I don't how to remove the "delete" permission from the folder for all the users except admins. Any1 would to shed some light on this please?

unSpawn · 03-09-2008, 07:15 AM

Being able to delete items inside a directory means having write rights on the inode of the directory.

kool_kid · 03-09-2008, 02:29 PM

so if write permission is removed then delete permission is also removed right? So I cannot this thing done?

Deleriux · 03-09-2008, 02:53 PM

You can set the folder temporary (chmod 1777) and this will let users create files inside of the directory and only delete files they own instead of all the files in the directory.

Deleriux · 03-09-2008, 02:58 PM

This is exactly what you need, never thought it worked on folders

.

Code:

chattr +a directory/

Keep permissions as they are already (dont do the temp thing I suggested above).

This sets the directory to "append only" which means files can be written to it but not removed.

Note that when using this attribute a file can only be appended and not modified so might not offer exactly what you want.

kool_kid · 03-09-2008, 05:11 PM

Thats a good one but doesn't exactly work for me because people do modify the files a lot. The basic operations that happens on the shared data are Read/Write/Modify/Execute. It is just that we don't want the users to delete whatever content they are adding to the shared area.

unSpawn · 03-11-2008, 08:04 AM

Quote:

Originally Posted by kool_kid

so if write permission is removed then delete permission is also removed right? So I cannot this thing done?

Looks like the right conclusion to me.

Quote:

Originally Posted by kool_kid

doesn't exactly work for me because people do modify the files a lot. The basic operations that happens on the shared data are Read/Write/Modify/Execute.

Read, write, exec OK, but AFAIK there's no "modify" syscall. Allowing write rights and doing '$>/some/file' clear a files content, which you don't want. So as I see it "modification" in your case is a definition based on your definition of the integrity of file contents, so filesystem access rights or extended attributes aren't going to work for you.

Quote:

Originally Posted by kool_kid

It is just that we don't want the users to delete whatever content they are adding to the shared area.

Maybe you could look into like versioning through the filesystem (ext3cow or some overlay fs) or using an application (rsync, database, Wiki) instead? If that ain't working for you maybe you should explain in detail the reasons why it's critical people must not delete (partial) content.