sticky bit: how to protect directories but not files inside
Hi,
I'm trying to protect a directory tree but not the files inside. For that I put a sticky bit on each directory and chown them as root. But that also makes the files within the dirs to become sticky (only owner can delete them), what is not my intention. I want to prevent alterations to the directory-tree but grant unlimited permissions to all users for the files within (on all depths). Is it possible to achieve that behavior using the file permissions, or do I have to use some trick or script? The files are only accessed through Samba, so a Samba-side solution would be also helpful. An idea: I now have put in each directory a empty directory named ".placeholder" and chowned it to root, what seems the achieve what I want but I'm not really satisfied with that solution. It prevents deletion of of the dirs but it is still possible to rename and to move them. Thanks Alex |
Is this a copy of http://www.linuxquestions.org/questi...elete-623054/? If not, could you explain *why* you need to protect the dirs and not the files within?
|
Not exactly. I thought the sticky bit would solve my problem but as I realized just now I doesn't (I didn't try changing to another user, I just was happy that I couldn't move or delete the dirs). I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.
Explanation of my problem / intention: I have a predefined directory tree for every project, that is automatically created by a script in root-mode, for example: Code:
project_root The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before. |
Quote:
Quote:
|
If you set up the directory to share like:
/srv/samba/ProjectRoot/ and all these directories are created by root in the manner you said, they will be protected from deletion. I tried it out myself and tested it. Code:
[wildswede] Code:
ls -lR /srv/samba Note how none of the parent directories are owned by a non-root user. If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions. I would second the idea of reading the manpages for getfacl, setfacl, lsattr & chattr. I even installed the source for the "coreutils" package so that I could run "configure && make pdf" which generated nice looking documentation on most of the programs in /bin/ and /usr/bin/. The documentation for gawk is excellent. --- I would also recommend mounting samba shares as cifs filesystems rather than browsing when you are using Linux to Linux samba filesharing. You will be able to use tools like setfacl in the shell. I don't know if any graphical file browser will support this level of file permissions/ownership/acl controls on a samba share. Good Luck! It would be a good idea to play strictly by the rules on any forum site. Remember the Golden Rule. "The dude with the gold makes all the rules!";) |
Quote:
I already figured what you are writing, my problem is that I want the files to be non-sticky. But even when I set them to 0777 they still are sticky if the parent directory is: Code:
drwxrwx--T 3 root mygroup 80 2008-03-20 14:28 . Code:
drwxrwx--T 2 root mygroup 88 2008-03-20 14:29 . Code:
# sudo -u user_b mv thisfileidontwantsticky_ thisfileidontwantsticky Regarding ACLs: I read a bit on them (never heard about them before). I'm not sure this is what I am looking for and foremost I can't test them so easy because I'm using ReiserFS, so I would have to patch my kernel, what I've never done before. Isn't there a trick or a (samba-)tweak that could help me? |
The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it. To both protect the subdirectories and allow full access to files by all users, you might try "force user = nobody" and "force group = nogroup" options together with the sticky bit on the directories. This will need to be tested however. If all the users are forced to to be the same, they may be able to delete any file because they were created by the same user. |
Quote:
Quote:
But I experienced also a strange behavior with directories using the sticky bit. While I was unable to move and delete directories (owned by root, with sticky bit) with at least one sub-directory (owned by root, with sticky bit), with exactly the same configuration, I am now as long as the parent dir is not sticky. This applies to samba- and bash-side. Could this be a Bug? |
Can you not just create the directory that the project will be worked from within and use group sticky on directories (to ensure file group ownerships) then have all users who will be using it put into the group?
Sure, it wont prevent them deleting the directories but thats what backups are for :). I suspect windows ACL's allow for this kind of relationship but the unix ones dont from the configurations i've tried. Frankly if the group have someone who deletes a structure they know not to delete they shouldnt be in the group in the first place. If its a groups project I would personally see it the responsibility of the group to maintain the projects integrity. |
All times are GMT -5. The time now is 03:51 PM. |