LinuxQuestions.org - sticky bit: how to protect directories but not files inside

- Linux - Server (https://www.linuxquestions.org/questions/linux-server-73/)

- - sticky bit: how to protect directories but not files inside (https://www.linuxquestions.org/questions/linux-server-73/sticky-bit-how-to-protect-directories-but-not-files-inside-629202/)

sticky bit: how to protect directories but not files inside

Hi,

I'm trying to protect a directory tree but not the files inside. For that I put a sticky bit on each directory and chown them as root. But that also makes the files within the dirs to become sticky (only owner can delete them), what is not my intention. I want to prevent alterations to the directory-tree but grant unlimited permissions to all users for the files within (on all depths).

Is it possible to achieve that behavior using the file permissions, or do I have to use some trick or script?

The files are only accessed through Samba, so a Samba-side solution would be also helpful.

An idea:
I now have put in each directory a empty directory named ".placeholder" and chowned it to root, what seems the achieve what I want but I'm not really satisfied with that solution. It prevents deletion of of the dirs but it is still possible to rename and to move them.

Thanks
Alex

Is this a copy of http://www.linuxquestions.org/questi...elete-623054/? If not, could you explain *why* you need to protect the dirs and not the files within?

Not exactly. I thought the sticky bit would solve my problem but as I realized just now I doesn't (I didn't try changing to another user, I just was happy that I couldn't move or delete the dirs). I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.

Explanation of my problem / intention:

I have a predefined directory tree for every project, that is automatically created by a script in root-mode, for example:

Code:

project_root

+001_project1

 +01_subdir1

  +01_subsubdir1

  +02_subsubdir2

 +02_subdir2

+002_project2

 +01_subdir1

  +01_subsubdir1

  +02_subsubdir2

 +02_subdir2

I would like to preserve that tree, but also allow all user to create, delete and move files and new directories on all depths.

The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before.

Quote:

Originally Posted by alexandrusa (Post 3093970)

I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.

If one can see answer history duplicate answers are less likely to happen (..). It's a trade-off.

Quote:

Originally Posted by alexandrusa (Post 3093970)

I would like to preserve that tree, but also allow all user to create, delete and move files and new directories on all depths. The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before.

*Sigh* Wetware problems. Look through a few random HOWTO's to see if EA/ACL (http://acl.bestbits.at/) is your thing: http://en.opensuse.org/How_to_share_...sers_using_ACL, http://www.vanemery.com/Linux/ACL/linux-acl.html, http://www.bluelightning.org/linux/samba_acl_howto/. I'm sure you can find some more elaborate and recent ones yourself.

If you set up the directory to share like:
/srv/samba/ProjectRoot/
and all these directories are created by root in the manner you said, they will be protected from deletion. I tried it out myself and tested it.

Code:

[wildswede]

        path = /srv/samba

        guest ok = Yes

        read only = No

Code:

ls -lR /srv/samba

/srv/samba:

total 20

drwxr-xr-x 2 nobody  nobody  4096 Feb 21 02:07 New Folder

-rwxr----- 1 nobody  nobody    63 Feb 21 02:23 filebyjimbo_1.txt

-rwxr--r-- 1 nobody  nobody    63 Feb 21 02:26 filebyjimbo_2.txt

drwxrwxrwt 4 root    root    4096 Feb 22 10:56 share

-rw------- 1 jschiwal jschiwal    0 Feb 21 02:09 textfile



/srv/samba/New Folder:

total 4

-rwxr--r-- 1 nobody nobody 111 Feb 21 02:07 HTML File



/srv/samba/share:

total 8

drwxrwxrwt 6 root root 4096 Feb 22 10:56 subdir1

drwxrwxrwt 6 root root 4096 Feb 22 11:24 subdir2



/srv/samba/share/subdir1:

total 16

drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir1

drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir2

drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir3

drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir4

I was unable to delete or move the subdirectories.
Note how none of the parent directories are owned by a non-root user.

If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions.

I would second the idea of reading the manpages for getfacl, setfacl, lsattr & chattr. I even installed the source for the "coreutils" package so that I could run "configure && make pdf" which generated nice looking documentation on most of the programs in /bin/ and /usr/bin/. The documentation for gawk is excellent.

---

I would also recommend mounting samba shares as cifs filesystems rather than browsing when you are using Linux to Linux samba filesharing. You will be able to use tools like setfacl in the shell. I don't know if any graphical file browser will support this level of file permissions/ownership/acl controls on a samba share.

Good Luck! It would be a good idea to play strictly by the rules on any forum site. Remember the Golden Rule. "The dude with the gold makes all the rules!";)

Quote:

Originally Posted by jschiwal (Post 3094667)

Hi jschiwal, thanks for your input.

I already figured what you are writing, my problem is that I want the files to be non-sticky. But even when I set them to 0777 they still are sticky if the parent directory is:

Code:

drwxrwx--T  3 root  mygroup  80 2008-03-20 14:28 .

drwxrwx--- 26 user_a mygroup 1.3K 2008-03-20 14:21 ..

drwxrwx--T  2 root  mygroup  88 2008-03-20 14:29 thisdirissticky

# sudo -u user_a mv thisdirissticky thisdirissticky_

mv: cannot move `thisdirissticky' to `thisdirissticky_': Operation not permitted

# sudo -u user_b mv thisdirissticky thisdirissticky_

mv: cannot move `thisdirissticky' to `thisdirissticky_': Operation not permitted

very good so far

Code:

drwxrwx--T 2 root  mygroup 88 2008-03-20 14:29 .

drwxrwx--T 3 root  mygroup 80 2008-03-20 14:28 ..

-rwxrwx--- 1 user_a mygroup  0 2008-03-20 14:14 thisfileidontwantsticky

# sudo -u user_a mv thisfileidontwantsticky thisfileidontwantsticky_

still good, but:

Code:

# sudo -u user_b mv thisfileidontwantsticky_ thisfileidontwantsticky

mv: cannot move `thisfileidontwantsticky_' to `thisfileidontwantsticky': Operation not permitted

I want that to be possible. Every user should have unlimited access to all files within the structure, including move and delete permissions. I am desperately looking for a way to do that.

Regarding ACLs: I read a bit on them (never heard about them before). I'm not sure this is what I am looking for and foremost I can't test them so easy because I'm using ReiserFS, so I would have to patch my kernel, what I've never done before.

Isn't there a trick or a (samba-)tweak that could help me?

The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.

To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together
with the sticky bit on the directories.

This will need to be tested however. If all the users are forced to to be the same, they
may be able to delete any file because they were created by the same user.

Quote:

Originally Posted by jschiwal (Post 3095510)

The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.

I've tried it, without luck.

Quote:

Originally Posted by jschiwal (Post 3095510)

To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together with the sticky bit on the directories.

The "force user" variable is a good call. It actually works if all files are owned by the user specified in "force user" and the protected directories by someone else.

But I experienced also a strange behavior with directories using the sticky bit. While I was unable to move and delete directories (owned by root, with sticky bit) with at least one sub-directory (owned by root, with sticky bit), with exactly the same configuration, I am now as long as the parent dir is not sticky. This applies to samba- and bash-side. Could this be a Bug?

Can you not just create the directory that the project will be worked from within and use group sticky on directories (to ensure file group ownerships) then have all users who will be using it put into the group?

Sure, it wont prevent them deleting the directories but thats what backups are for :).

I suspect windows ACL's allow for this kind of relationship but the unix ones dont from the configurations i've tried.

Frankly if the group have someone who deletes a structure they know not to delete they shouldnt be in the group in the first place. If its a groups project I would personally see it the responsibility of the group to maintain the projects integrity.