LinuxQuestions.org
Help answer threads with 0 replies.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 04-15-2021, 11:03 AM   #1
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,902

Rep: Reputation: 147Reputation: 147
How to prevent directory from being moved.


Our office has a shared CIFS mount. A couple of the directories on that volume are:
Code:
drwxrwxr-x 5098 ohprso ohprs    188416 2021-04-15 08:15 Pension\ Files/
drwxrwsr-x 15 ohprso ohprs 4096 2021-02-18 13:14 Staff/
Today, one of the users accidentally moved the "Pension Files" directory to a sub-directory under "Staff", allegedly because the dog bumped the table when the user was attempting to open this folder. The rest of the office was unable to find "Pension Files" until the perpetrator realized the problem and moved it back.

All users have RWX access to this directory and its sub-directories and files, as should be the case. Is there a way to prevent the "Pension Files" directory itself from being moved?
 
Old 04-15-2021, 11:17 AM   #2
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 2,321

Rep: Reputation: Disabled
See descriptions of the flag -p and directory attribute P in chattr(1).

If you find a filesystem that supports the P attribute, that is. It's supported neither by Ext4 nor by XFS.

Perhaps you can achieve something similar by using CIFS filesystem and setting file permissions via setcifsacl(1). AFAIUI, it uses NTFS-style file-level security attributes. The first example in the setcifsacl man page seems to be relevant. Something like
Code:
setcifsacl -a '"ACL:ohprs:DENIED/NI/D"' 'Pension Files'

Last edited by shruggy; 04-15-2021 at 02:20 PM.
 
Old 04-15-2021, 07:34 PM   #3
JeremyBoden
Senior Member
 
Registered: Nov 2011
Location: London, UK
Distribution: Debian
Posts: 1,887

Rep: Reputation: 467Reputation: 467Reputation: 467Reputation: 467Reputation: 467
If 'Pension' was a sub-directory of a directory to which you don't have write permissions - then you couldn't move 'Pension'.
[ This would require updating the parent directory ].
 
Old 04-19-2021, 12:19 PM   #4
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,902

Original Poster
Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by JeremyBoden View Post
If 'Pension' was a sub-directory of a directory to which you don't have write permissions - then you couldn't move 'Pension'.
[ This would require updating the parent directory ].
I'll give that a try after hours. I'm skeptical because the parent folder is a samba mount-point, but I'll try it.

Shruggy: the file system is ext4, so I suppose that means your chattr idea is out. I'd like to try your setcifsacl idea if the cifs/permission idea doesn't work out. I hate to simply monkey-type your solution without understanding it. Are ACE's documented somewhere? The're described briefly in the setcifsacl man page, but not enough for understanding. For example, how did you know that NI (NO_PROPAGATE_INHERIT_FLAG) mean apply only to this file/folder? It seems logical once you've chosen it, but where is it described? Likewise your choice of 'D' for a mask -- what that means is not described at all. I'm not asking for you to do the describing, just for where these are defined is better detail. I've not found a man page or online search that helps.
 
Old 04-19-2021, 01:51 PM   #5
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 2,321

Rep: Reputation: Disabled
TBH, I think what JeremyBoden suggested is the easiest solution.

NTFS permissions. Compare this to definitions in the source code of cifs-utils linked above in #2. There's one typo in the source though. DELDHLD should actually be DELCHLD.
 
Old 04-21-2021, 11:17 PM   #6
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,902

Original Poster
Rep: Reputation: 147Reputation: 147
Quote:
Originally Posted by shruggy View Post
TBH, I think what JeremyBoden suggested is the easiest solution.
JeremyBoden's suggestion didn't work, at least the way I test. On the hosting computer I created a directory: /mntRAID/clipub with permissions:
Code:
drwxrwsrwx   3 ohprso ohprs  4096 2021-04-21 23:39 clibup/
This is a test-clone of the actual problem folder:
Code:
drwxrwsrwx  20 ohprso ohprs  8192 2021-04-21 23:08 public/
I changed the permission to:
Code:
dr-xr-sr-x   3 ohprso ohprs  4096 2021-04-21 23:39 clibup/
I 'cp -a' a directory from public/ to cilbup/ to put something in that new directory.
Code:
# ls -l clibup/Pension\ Files/
total 8
drwxrwx--x 7 ohprso ohprs 4096 2021-04-21 23:52 Adams,\ Austin\ J/
I then added the samba config for that new share to smb.conf, which is a clone of the config for [public]
Code:
[clibup]
comment = Test directory moving issues
path = /mnt/RAID/clibup

hide dot files = yes
hide files = /Outlook/outlook/~*/
readonly = no
locking = yes
public = yes
# writeable = yes
# browseable= yes
printable = no
create mask = 0660 
force user = ohprso
force group = ohprs
force create mode = 0660
directory mask = 2771
After restarting samba, I tried cut the "Pension Files" directory and pasting it elsewhere (from the Windows computer, mapped). It did do the paste, and removed the "Adams, Austin J" directory, but did not remove the "Pension Files" directory.

I then tried removing write priv. from the "Pension Files" folder. It also permitted me to cut paste, and did remove that folder from the mapped drive.

I then changed to the clibup folder and tried your setcifsacl:
Code:
# setcifsacl -a '"ACL:ohprs:DENIED/NI/D"' 'Pension Files'
WARNING: unable to initialize idmapping plugin. Only "raw" SID strings will be accepted: /etc/cifs-utils/idmap-plugin: cannot open shared object file: No such file or directory
build_cmdline_aces: Invalid SID (ohprs): SID string does not start with "S-"
Not being familiar with setcifsacl, per my previous post, I don't know where to look to figure out this error. I don't have a /etc/cifs-utils directory, which could be part of the problem. I did try using an SID starting with "S-", but no go on that.
Quote:
NTFS permissions. Compare this to definitions in the source code of cifs-utils linked above in #2. There's one typo in the source though. DELDHLD should actually be DELCHLD.
Supposedly, I do have cifs-utils-6.4-x86_64-2 installed. I did check out your link: https://www.mankier.com/1/setcifsacl, but it didn't give me any clues.

Is there something obvious I can fix here? Can I possibly change a smb.conf setting to do what I want?

Last edited by mfoley; 04-21-2021 at 11:20 PM.
 
Old 04-22-2021, 02:59 AM   #7
shruggy
Senior Member
 
Registered: Mar 2020
Posts: 2,321

Rep: Reputation: Disabled
Quote:
Originally Posted by mfoley View Post
I did check out your link: https://www.mankier.com/1/setcifsacl, but it didn't give me any clues.
I meant this link.
 
Old 04-22-2021, 12:54 PM   #8
mfoley
Senior Member
 
Registered: Oct 2008
Location: Columbus, Ohio USA
Distribution: Slackware
Posts: 1,902

Original Poster
Rep: Reputation: 147Reputation: 147
shruggy: thanks, that link did explain some of the values you had in your setcifsacl example. However, that doesn't really help me use the command or explain why I get the error. I tried JeremyBoden's idea again, this time on the client side, but that prevented new directories from being created.

What I'll do is try to explore setcifsacl and get some help on that for my Slackware 14.2 system and maybe try that again later. And I'll see if anything can be done using samba.
 
  


Reply

Tags
directory, protection


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
debian MX multi-boot installation needs being moved then replaced BudiKusasi Debian 6 02-09-2021 02:18 AM
Wordpress mangles all URLs after being moved to new server rylan76 Linux - Software 2 09-27-2019 02:39 PM
LXer: GNOME 3 update: 'Connect to Server' lives in GNOME 3.5/3.6, I rant about features being moved LXer Syndicated Linux News 0 11-21-2012 04:41 AM
How to stop files moved to Linux from Windows via USB being marked "executable"? rnturn Linux - General 4 09-28-2010 07:32 PM
mv: how to protect files from being moved hamish Linux - Software 4 09-05-2005 09:15 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 11:31 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration