User Unable to delete files with ACL user:rwx on directory with sticky bit
Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
User Unable to delete files with ACL user:rwx on directory with sticky bit
I was wondering if it is possible to have two owners of a directory(the boss and manager). This is the hierarchy I am trying to accomplish:
Code:
harry (boss needs full control of directory)
|
+-------------+----------------+
| | |
frank mary isaac (Managers need full control of directory)
| | |
sales accounting hr (group folders)
|
---+----
| |
jazmin joe (Group members need rwx access but no delete unless user owns file)
I have the following setup inside the folder "company". Everything works great, except the boss can't delete files he does not want. The manager has to do it or the owner of the file. I tried using ACLs but the sticky bit seems to prevent the deletion by the boss(harry).
Code:
[root@server company]# getfacl sales
# file: sales
# owner: isaac
# group: sales
# flags: -st
user::rwx
user:harry:rwx
group::rwx
mask::rwx
other::---
default:user::rwx
default:user:harry:rwx
default:group::rwx
default:mask::rwx
default:other::---
[root@server company]# ls -l
total 24
drwxrws--T+ 2 frank accounting 4096 Aug 22 16:55 accounting
drwxrws--T+ 2 mary hr 4096 Aug 22 16:44 hr
drwxrws--T+ 2 isaac sales 4096 Aug 22 16:45 sales
[root@server company]# ls -l sales
total 100
-rw-rwxr--+ 1 harry sales 0 Aug 22 09:42 boss-f2
-rw-rwxr--+ 1 harry sales 0 Aug 22 09:42 boss-f3
-rw-rwxr--+ 1 harry sales 0 Aug 22 09:42 boss-f4
-rw-rwxr--+ 1 harry sales 0 Aug 22 09:42 boss-f5
-rw-rwxr--+ 1 harry sales 0 Aug 22 09:42 boss-f6
-rw-rw----+ 1 harry sales 0 Aug 22 16:45 boss-new-1
-rw-rwxr--+ 1 isaac sales 18 Aug 22 10:56 isaac-f1
-rw-rwxr--+ 1 isaac sales 0 Aug 22 10:54 isaac-f2
-rw-rwxr--+ 1 isaac sales 0 Aug 22 10:54 isaac-f3
-rw-rwxr--+ 1 isaac sales 0 Aug 22 10:54 isaac-f4
-rw-rwxr--+ 1 isaac sales 0 Aug 22 10:54 isaac-f5
-rw-rwxr--+ 1 isaac sales 0 Aug 22 10:54 isaac-f6
-rw-rwxr--+ 1 jazmin sales 0 Aug 22 10:55 jazmin-f2
-rw-rwxr--+ 1 jazmin sales 0 Aug 22 10:55 jazmin-f3
-rw-rwxr--+ 1 jazmin sales 0 Aug 22 10:55 jazmin-f4
-rw-rwxr--+ 1 jazmin sales 0 Aug 22 10:55 jazmin-f5
-rw-rwxr--+ 1 jazmin sales 0 Aug 22 10:55 jazmin-f6
-rw-rwxr--+ 1 joe sales 18 Aug 22 10:56 joe-f1
-rw-rwxr--+ 1 joe sales 0 Aug 22 10:52 joe-f2
-rw-rwxr--+ 1 joe sales 0 Aug 22 10:52 joe-f3
-rw-rwxr--+ 1 joe sales 0 Aug 22 10:52 joe-f4
-rw-rwxr--+ 1 joe sales 0 Aug 22 10:52 joe-f5
-rw-rwxr--+ 1 joe sales 0 Aug 22 10:52 joe-f6
Can't be done. Without the stickybit anyone who can create a file in a directory will be able to delete a file in that directory, and with the stickybit Harry and the managers won't be able to delete files they don't own.
You're going to have to either trust Joe and Jazmin, or give them each their own private subdirectory to create their files in, and optionally come up with some sort of checkin/out mechanism if you want to be able to promote their files into any of the shared locations (such as sales/). Either way, you're going to have to stop using the stickybit if you want Harry to have full control.
Thanks for the info. I was under the impression that the ACL rule would allow harry to delete files in those directories but I tried it and it did not work. Harry just can't delete anything, but the managers work fine. They can remove any file at will because they are the owners of the directories, even with the sticky bit on. Since the ACL rule did not work, I was thinking perhaps writing a two line script and set SUID bit, give harry permission to run it, that way he can become the manager when deleting files. What do you think?
The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory
... I'd forgotten about that 'or the directory' part.
In linux you can't suid a script file, but you could do something with sudo to allow the boss-man to take ownership of any files.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.