Permisions--- No Delete?

jedimastermopar · 03-13-2008, 04:56 PM

Is there a sneaky way to allow writes but not allow deletes to a given folders contents?
Trying to allow people to write to a samaba share but prevent them from deleting theres or others files.

Is thre a way to do a chown -R 555 on files but not directories?

Then I could have a mask of say 777 and run the above in a cron every hour to make the files read only but still allow people to create new files within the directories?

jailbait · 03-13-2008, 05:10 PM

Quote:

Originally Posted by jedimastermopar

Is there a sneaky way to allow writes but not allow deletes to a given folders contents?
Trying to allow people to write to a samaba share but prevent them from deleting theres or others files.

Is thre a way to do a chown -R 700 on files but not directories?

Then I could have a mask of 777 and run the above in a cron every hour to make the files read only but still allow people to create new files within the directories?

If you allow people to write to a file then they can destroy the file by writing garbage to the file. They don't have to be able to delete a file in order to destroy it. So allowing people to write to a file but not delete the file does not protect the file.

As to preventing people destroying other people's files the way to do that is to have the ownership and permissions for new files set up so that people cannot write to or delete files created by other users.

I suppose that you could make a user's existing files read only every few minutes with cron. However in any situation that I can imagine a good backup and recovery system is more useful than disallowing users from revising or deleting their own data.

---------------------
Steve Stites

jedimastermopar · 03-13-2008, 05:12 PM

I don't want them to be able to write to them or delete either, I want them to be read only, but allow also allow them to write new files to the folders, and create new folders.

jedimastermopar · 03-13-2008, 05:16 PM

One thing that I thought would work was to set the two variables likes this.

force create mode = 055
force directory mode - 6777

but when I create new files via a samba user in the share the files are all 777 and not 555 as I would have thought?

Also the reason we don't want to allow editing and deleting on this share is that we need to keep track of all file edits done, the idea is that people will version the files as they edit them.

unSpawn · 03-13-2008, 05:27 PM

Quote:

Originally Posted by jedimastermopar

the idea is that people will version the files as they edit them.

People will be lazy, forget, make mistakes or willingly fsck up. if you require versioning why not use versioning?

jedimastermopar · 03-13-2008, 05:28 PM

How do you enforce versioning on a directory?

jedimastermopar · 03-13-2008, 05:42 PM

ok well i figured out how to get what I wanted but I think I woudl still rather be able to cron a chmod 444 to not include the directories. This would allow people to be able to delete things they put in by mistake for a certain ammoutn of time. Like run the cron nightly, to make the files read only.

I changed the
force create mod
to
create mask

Any ideas on how to change the permisions on files recorsivly while leaving the directories permisions in tact?

unSpawn · 03-15-2008, 06:25 AM

Quote:

Originally Posted by jedimastermopar

How do you enforce versioning on a directory?

AFAIK you don't. You can use an application that front-ends versioning as in SVN or CVS or a filesystem that allows versioning or snapshotting like CopyFS (uses FUSE) or ext3cow (usable but missing fsck). BTW, maybe also look into inotify tools like inotifywait since you could do stuff like trigger a copy on change.