Making directories immutable and being able to create files within the directory?
Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Making directories immutable and being able to create files within the directory?
Hello, does anyone have any ideas as to how one could make a directory immutable, just the directory to protect it from removal but still be able to write files within the directory? This came up because I have had several people that have deleted their directories several times.
Hello, does anyone have any ideas as to how one could make a directory immutable, just the directory to protect it from removal but still be able to write files within the directory? This came up because I have had several people that have deleted their directories several times.
Not sure that can be managed with permissions. I'd think a directory needs to be writeable to be written to.
One idea: Create a hidden file within the directory owned by root
I do not think you can do this with a single directory. You could, however, emded the directory in a "protective" parent directory and change the attributes of the parent directory to immutable:
You must issue the above commands as root. Setting the +i flag on protect will make 'protect' immutable, i.e., you will not be able to delete 'protect' or any of its contents. You can, however, create and delete files in 'workfolder'.
Cool, thanks for the ideas! I think this is how im going to do it.
create a .dontremove file as suggested above and then I will make the .file immutable which should cause rm to bail because the directory is not empty and the file cant be removed.
Cool, thanks for the ideas! I think this is how im going to do it.
create a .dontremove file as suggested above and then I will make the .file immutable which should cause rm to bail because the directory is not empty and the file cant be removed.
You're welcome. That should do it. I learned about chattr in this thread...very interesting.
I note only root can set the immutable attribute. Of course, even without using chattr, were the file owned by root, no one else could remove it either.
Of course, even without using chattr, were the file owned by root, no one else could remove it either.
You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.
You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.
I did not know that! Yes, I should have. One of the challenges of working as root most of the time...besides being dangerous, it can make one ignorant
Thanks for the correction.
You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.
You could utilize the sticky bit to avoid deleting files from other users:
Code:
# mkdir workfolder # all commands as root
# chgrp <usergroup> workfolder
# chmod 1775 workfolder
# touch workfolder/lockfile
# chmod g+w workfolder/lockfile # even the same group cannot delete the file, only the user
The sticky bit (at least in linux) lets you create files in workfolder but prohibits you from deleting files that you do not own; unless you are root. The sticky bit - in contrast to chattr - does not prohibit root from doing "damage".
If none of the users have root privileges then this might also be a suitable "lockfile" solution that does not require chattr. Depending on how the filesystem was created, chattr may not always be available.
PS:
I only changed the group to the user's group for demonstration purposes only. If you want a "lockfile" solution then its group should probably stay root.
Last edited by crts; 02-26-2019 at 01:21 PM.
Reason: Added title
You could utilize the sticky bit to avoid deleting files from other users:
Code:
# mkdir workfolder # all commands as root
# chgrp <usergroup> workfolder
# chmod 1775 workfolder
# touch workfolder/lockfile
# chmod g+w workfolder/lockfile # even the same group cannot delete the file, only the user
The sticky bit (at least in linux) lets you create files in workfolder but prohibits you from deleting files that you do not own; unless you are root. The sticky bit - in contrast to chattr - does not prohibit root from doing "damage".
Being the owner of the directory is also sufficient to bypass the sticky bit, and the original post in this thread mentioned "people that have deleted their directories."
what directories are they, the standard ones, Documents, Music, etc, or ones they have created themselves? You could perhaps create a script the takes a "snap shot" of what dirs they have, then upon logging in to there account check them the if not there re-created them. it could get a bit hairy if they delete a directory on purpose no longer wanting it though.
don't they have any idea ow to create a dir? A redundant question I m sure. Seeings how you're asking how to make it so they cannot delete the directories.
Yet, if they can delete them, then they have rights to create directories too. Maybe a short training session for the "employees" to teach them some basics they need to know. So they can fix what they screwed up.
Being the owner of the directory is also sufficient to bypass the sticky bit ...
relates to my "sticky-bit" solution. I explicitly posted that the commands need to be issued by root, thus the folder is created and owned by root and not the user. Notice, that I only change the group to the user's group but not ownership. If the folder exists already then, of course, the first step needs to be omitted and instead of chgrp
Code:
# chown 0:<usergroup> workfolder
needs to be issued. In any case, the resulting permissions/ownerships are:
Code:
# ls -ld workfolder
drwxrwxr-t 2 root <usergroup> 4.0K Feb 26 16:00 workfolder/
# ls -l workfolder
-rw-r--r-- 1 root root 0 Feb 26 16:00 lockfile
The user can neither change ownership nor remove the sticky-bit.
Since all solutions require root intervention and result in the user losing control over the directory, I see no reason why the folder should not be owned by root.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.