LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices

Reply
 
Search this Thread
Old 03-19-2008, 10:08 AM   #1
alexandrusa
LQ Newbie
 
Registered: Jan 2008
Location: Frankfurt am Main, Germany
Distribution: Debian 4.0, Windows 2003 Server
Posts: 12

Rep: Reputation: 1
Unhappy sticky bit: how to protect directories but not files inside


Hi,

I'm trying to protect a directory tree but not the files inside. For that I put a sticky bit on each directory and chown them as root. But that also makes the files within the dirs to become sticky (only owner can delete them), what is not my intention. I want to prevent alterations to the directory-tree but grant unlimited permissions to all users for the files within (on all depths).

Is it possible to achieve that behavior using the file permissions, or do I have to use some trick or script?

The files are only accessed through Samba, so a Samba-side solution would be also helpful.

An idea:
I now have put in each directory a empty directory named ".placeholder" and chowned it to root, what seems the achieve what I want but I'm not really satisfied with that solution. It prevents deletion of of the dirs but it is still possible to rename and to move them.

Thanks
Alex

Last edited by alexandrusa; 03-19-2008 at 10:34 AM.
 
Old 03-19-2008, 10:43 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
Is this a copy of http://www.linuxquestions.org/questi...elete-623054/? If not, could you explain *why* you need to protect the dirs and not the files within?
 
Old 03-19-2008, 11:38 AM   #3
alexandrusa
LQ Newbie
 
Registered: Jan 2008
Location: Frankfurt am Main, Germany
Distribution: Debian 4.0, Windows 2003 Server
Posts: 12

Original Poster
Rep: Reputation: 1
Not exactly. I thought the sticky bit would solve my problem but as I realized just now I doesn't (I didn't try changing to another user, I just was happy that I couldn't move or delete the dirs). I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.

Explanation of my problem / intention:

I have a predefined directory tree for every project, that is automatically created by a script in root-mode, for example:

Code:
project_root
+001_project1
 +01_subdir1
   +01_subsubdir1
   +02_subsubdir2
 +02_subdir2
+002_project2
 +01_subdir1
   +01_subsubdir1
   +02_subsubdir2
 +02_subdir2
I would like to preserve that tree, but also allow all user to create, delete and move files and new directories on all depths.

The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before.
 
Old 03-19-2008, 09:30 PM   #4
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,953
Blog Entries: 54

Rep: Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733Reputation: 2733
Quote:
Originally Posted by alexandrusa View Post
I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.
If one can see answer history duplicate answers are less likely to happen (..). It's a trade-off.


Quote:
Originally Posted by alexandrusa View Post
I would like to preserve that tree, but also allow all user to create, delete and move files and new directories on all depths. The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before.
*Sigh* Wetware problems. Look through a few random HOWTO's to see if EA/ACL (http://acl.bestbits.at/) is your thing: http://en.opensuse.org/How_to_share_...sers_using_ACL, http://www.vanemery.com/Linux/ACL/linux-acl.html, http://www.bluelightning.org/linux/samba_acl_howto/. I'm sure you can find some more elaborate and recent ones yourself.
 
Old 03-20-2008, 01:37 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If you set up the directory to share like:
/srv/samba/ProjectRoot/
and all these directories are created by root in the manner you said, they will be protected from deletion. I tried it out myself and tested it.

Code:
[wildswede]
        path = /srv/samba
        guest ok = Yes
        read only = No
Code:
ls -lR /srv/samba
/srv/samba:
total 20
drwxr-xr-x 2 nobody   nobody   4096 Feb 21 02:07 New Folder
-rwxr----- 1 nobody   nobody     63 Feb 21 02:23 filebyjimbo_1.txt
-rwxr--r-- 1 nobody   nobody     63 Feb 21 02:26 filebyjimbo_2.txt
drwxrwxrwt 4 root     root     4096 Feb 22 10:56 share
-rw------- 1 jschiwal jschiwal    0 Feb 21 02:09 textfile

/srv/samba/New Folder:
total 4
-rwxr--r-- 1 nobody nobody 111 Feb 21 02:07 HTML File

/srv/samba/share:
total 8
drwxrwxrwt 6 root root 4096 Feb 22 10:56 subdir1
drwxrwxrwt 6 root root 4096 Feb 22 11:24 subdir2

/srv/samba/share/subdir1:
total 16
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir1
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir2
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir3
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir4
I was unable to delete or move the subdirectories.
Note how none of the parent directories are owned by a non-root user.

If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions.

I would second the idea of reading the manpages for getfacl, setfacl, lsattr & chattr. I even installed the source for the "coreutils" package so that I could run "configure && make pdf" which generated nice looking documentation on most of the programs in /bin/ and /usr/bin/. The documentation for gawk is excellent.

---

I would also recommend mounting samba shares as cifs filesystems rather than browsing when you are using Linux to Linux samba filesharing. You will be able to use tools like setfacl in the shell. I don't know if any graphical file browser will support this level of file permissions/ownership/acl controls on a samba share.

Good Luck! It would be a good idea to play strictly by the rules on any forum site. Remember the Golden Rule. "The dude with the gold makes all the rules!"

Last edited by jschiwal; 03-20-2008 at 02:32 AM.
 
Old 03-20-2008, 09:17 AM   #6
alexandrusa
LQ Newbie
 
Registered: Jan 2008
Location: Frankfurt am Main, Germany
Distribution: Debian 4.0, Windows 2003 Server
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by jschiwal View Post
I was unable to delete or move the subdirectories.
Note how none of the parent directories are owned by a non-root user.

If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions.
Hi jschiwal, thanks for your input.

I already figured what you are writing, my problem is that I want the files to be non-sticky. But even when I set them to 0777 they still are sticky if the parent directory is:

Code:
drwxrwx--T  3 root   mygroup   80 2008-03-20 14:28 .
drwxrwx--- 26 user_a mygroup 1.3K 2008-03-20 14:21 ..
drwxrwx--T  2 root   mygroup   88 2008-03-20 14:29 thisdirissticky
# sudo -u user_a mv thisdirissticky thisdirissticky_
mv: cannot move `thisdirissticky' to `thisdirissticky_': Operation not permitted
# sudo -u user_b mv thisdirissticky thisdirissticky_
mv: cannot move `thisdirissticky' to `thisdirissticky_': Operation not permitted
very good so far

Code:
drwxrwx--T 2 root   mygroup 88 2008-03-20 14:29 .
drwxrwx--T 3 root   mygroup 80 2008-03-20 14:28 ..
-rwxrwx--- 1 user_a mygroup  0 2008-03-20 14:14 thisfileidontwantsticky
# sudo -u user_a mv thisfileidontwantsticky thisfileidontwantsticky_
still good, but:

Code:
# sudo -u user_b mv thisfileidontwantsticky_ thisfileidontwantsticky
mv: cannot move `thisfileidontwantsticky_' to `thisfileidontwantsticky': Operation not permitted
I want that to be possible. Every user should have unlimited access to all files within the structure, including move and delete permissions. I am desperately looking for a way to do that.

Regarding ACLs: I read a bit on them (never heard about them before). I'm not sure this is what I am looking for and foremost I can't test them so easy because I'm using ReiserFS, so I would have to patch my kernel, what I've never done before.

Isn't there a trick or a (samba-)tweak that could help me?
 
Old 03-20-2008, 08:28 PM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.

To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together
with the sticky bit on the directories.

This will need to be tested however. If all the users are forced to to be the same, they
may be able to delete any file because they were created by the same user.
 
Old 03-27-2008, 07:54 AM   #8
alexandrusa
LQ Newbie
 
Registered: Jan 2008
Location: Frankfurt am Main, Germany
Distribution: Debian 4.0, Windows 2003 Server
Posts: 12

Original Poster
Rep: Reputation: 1
Quote:
Originally Posted by jschiwal View Post
The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.
I've tried it, without luck.

Quote:
Originally Posted by jschiwal View Post
To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together with the sticky bit on the directories.
The "force user" variable is a good call. It actually works if all files are owned by the user specified in "force user" and the protected directories by someone else.

But I experienced also a strange behavior with directories using the sticky bit. While I was unable to move and delete directories (owned by root, with sticky bit) with at least one sub-directory (owned by root, with sticky bit), with exactly the same configuration, I am now as long as the parent dir is not sticky. This applies to samba- and bash-side. Could this be a Bug?
 
Old 03-27-2008, 10:35 AM   #9
Deleriux
Member
 
Registered: Nov 2003
Posts: 89

Rep: Reputation: 16
Can you not just create the directory that the project will be worked from within and use group sticky on directories (to ensure file group ownerships) then have all users who will be using it put into the group?

Sure, it wont prevent them deleting the directories but thats what backups are for .

I suspect windows ACL's allow for this kind of relationship but the unix ones dont from the configurations i've tried.

Frankly if the group have someone who deletes a structure they know not to delete they shouldnt be in the group in the first place. If its a groups project I would personally see it the responsibility of the group to maintain the projects integrity.
 
  


Reply

Tags
bit, samba, sticky


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Sticky bit on / and /home directories? keysorsoze Linux - Newbie 6 01-21-2007 05:56 PM
Getting a list of directories with certain files inside... Banacek Linux - Newbie 7 11-27-2006 05:43 PM
About Sticky bit... masudur_iiu General 4 09-13-2006 10:23 AM
ProFTPD: Set umask so that directories are created with 'sticky bit' on. dutch2005 Linux - Software 1 09-06-2005 05:06 AM
Sticky Bit tarballed Linux - General 4 07-03-2002 03:54 PM


All times are GMT -5. The time now is 04:41 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration