sticky bit: how to protect directories but not files inside
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
sticky bit: how to protect directories but not files inside
Hi,
I'm trying to protect a directory tree but not the files inside. For that I put a sticky bit on each directory and chown them as root. But that also makes the files within the dirs to become sticky (only owner can delete them), what is not my intention. I want to prevent alterations to the directory-tree but grant unlimited permissions to all users for the files within (on all depths).
Is it possible to achieve that behavior using the file permissions, or do I have to use some trick or script?
The files are only accessed through Samba, so a Samba-side solution would be also helpful.
An idea:
I now have put in each directory a empty directory named ".placeholder" and chowned it to root, what seems the achieve what I want but I'm not really satisfied with that solution. It prevents deletion of of the dirs but it is still possible to rename and to move them.
Thanks
Alex
Last edited by alexandrusa; 03-19-2008 at 10:34 AM.
Not exactly. I thought the sticky bit would solve my problem but as I realized just now I doesn't (I didn't try changing to another user, I just was happy that I couldn't move or delete the dirs). I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.
Explanation of my problem / intention:
I have a predefined directory tree for every project, that is automatically created by a script in root-mode, for example:
I figured a new thread would me more effective since a replier would not be forced to read the entire thread and I could better emphasize my exact problem now.
If one can see answer history duplicate answers are less likely to happen (..). It's a trade-off.
Quote:
Originally Posted by alexandrusa
I would like to preserve that tree, but also allow all user to create, delete and move files and new directories on all depths. The main reason for that is that in Windows Explorer you can accidently move an entire directory by dragging. This happened often before.
If you set up the directory to share like:
/srv/samba/ProjectRoot/
and all these directories are created by root in the manner you said, they will be protected from deletion. I tried it out myself and tested it.
Code:
[wildswede]
path = /srv/samba
guest ok = Yes
read only = No
Code:
ls -lR /srv/samba
/srv/samba:
total 20
drwxr-xr-x 2 nobody nobody 4096 Feb 21 02:07 New Folder
-rwxr----- 1 nobody nobody 63 Feb 21 02:23 filebyjimbo_1.txt
-rwxr--r-- 1 nobody nobody 63 Feb 21 02:26 filebyjimbo_2.txt
drwxrwxrwt 4 root root 4096 Feb 22 10:56 share
-rw------- 1 jschiwal jschiwal 0 Feb 21 02:09 textfile
/srv/samba/New Folder:
total 4
-rwxr--r-- 1 nobody nobody 111 Feb 21 02:07 HTML File
/srv/samba/share:
total 8
drwxrwxrwt 6 root root 4096 Feb 22 10:56 subdir1
drwxrwxrwt 6 root root 4096 Feb 22 11:24 subdir2
/srv/samba/share/subdir1:
total 16
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir1
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir2
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir3
drwxrwxrwt 2 root root 4096 Feb 22 10:56 subsubdir4
I was unable to delete or move the subdirectories.
Note how none of the parent directories are owned by a non-root user.
If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions.
I would second the idea of reading the manpages for getfacl, setfacl, lsattr & chattr. I even installed the source for the "coreutils" package so that I could run "configure && make pdf" which generated nice looking documentation on most of the programs in /bin/ and /usr/bin/. The documentation for gawk is excellent.
---
I would also recommend mounting samba shares as cifs filesystems rather than browsing when you are using Linux to Linux samba filesharing. You will be able to use tools like setfacl in the shell. I don't know if any graphical file browser will support this level of file permissions/ownership/acl controls on a samba share.
Good Luck! It would be a good idea to play strictly by the rules on any forum site. Remember the Golden Rule. "The dude with the gold makes all the rules!"
I was unable to delete or move the subdirectories.
Note how none of the parent directories are owned by a non-root user.
If you remove the sticky bit from the directories then the directories can be deleted even though they are all owned by root. A user creating a file is responsible for protecting a file from being edited or overwritten by changing the permissions.
Hi jschiwal, thanks for your input.
I already figured what you are writing, my problem is that I want the files to be non-sticky. But even when I set them to 0777 they still are sticky if the parent directory is:
# sudo -u user_b mv thisfileidontwantsticky_ thisfileidontwantsticky
mv: cannot move `thisfileidontwantsticky_' to `thisfileidontwantsticky': Operation not permitted
I want that to be possible. Every user should have unlimited access to all files within the structure, including move and delete permissions. I am desperately looking for a way to do that.
Regarding ACLs: I read a bit on them (never heard about them before). I'm not sure this is what I am looking for and foremost I can't test them so easy because I'm using ReiserFS, so I would have to patch my kernel, what I've never done before.
Isn't there a trick or a (samba-)tweak that could help me?
The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.
To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together
with the sticky bit on the directories.
This will need to be tested however. If all the users are forced to to be the same, they
may be able to delete any file because they were created by the same user.
The reiserfs may support user acls. I think it depends on the options used when the filesystem was formatted.
You may need to install the acl package if you don't have it.
I've tried it, without luck.
Quote:
Originally Posted by jschiwal
To both protect the subdirectories and allow full access to files by all users,
you might try "force user = nobody" and "force group = nogroup" options together with the sticky bit on the directories.
The "force user" variable is a good call. It actually works if all files are owned by the user specified in "force user" and the protected directories by someone else.
But I experienced also a strange behavior with directories using the sticky bit. While I was unable to move and delete directories (owned by root, with sticky bit) with at least one sub-directory (owned by root, with sticky bit), with exactly the same configuration, I am now as long as the parent dir is not sticky. This applies to samba- and bash-side. Could this be a Bug?
Can you not just create the directory that the project will be worked from within and use group sticky on directories (to ensure file group ownerships) then have all users who will be using it put into the group?
Sure, it wont prevent them deleting the directories but thats what backups are for .
I suspect windows ACL's allow for this kind of relationship but the unix ones dont from the configurations i've tried.
Frankly if the group have someone who deletes a structure they know not to delete they shouldnt be in the group in the first place. If its a groups project I would personally see it the responsibility of the group to maintain the projects integrity.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.