Making directories immutable and being able to create files within the directory?

linux_nerd · 02-25-2019, 12:12 PM

Hello, does anyone have any ideas as to how one could make a directory immutable, just the directory to protect it from removal but still be able to write files within the directory? This came up because I have had several people that have deleted their directories several times.

scasey · 02-25-2019, 12:54 PM

Quote:

Originally Posted by linux_nerd

Hello, does anyone have any ideas as to how one could make a directory immutable, just the directory to protect it from removal but still be able to write files within the directory? This came up because I have had several people that have deleted their directories several times.

Not sure that can be managed with permissions. I'd think a directory needs to be writeable to be written to.

One idea: Create a hidden file within the directory owned by root

Code:

touch /home/userdir/.donotremove
chown root.root /home/userdir/.donotremove

Now a rmdir should fail with

Code:

rmdir: failed to remove ‘/home/userdir/’: Directory not empty

crts · 02-25-2019, 01:41 PM

I do not think you can do this with a single directory. You could, however, emded the directory in a "protective" parent directory and change the attributes of the parent directory to immutable:

Code:

# mkdir -p protect/workfolder
# chgrp <usergroup> protect/workfolder
# chmod g+w protect/workfolder
# chattr -V +i protect

You must issue the above commands as root. Setting the +i flag on protect will make 'protect' immutable, i.e., you will not be able to delete 'protect' or any of its contents. You can, however, create and delete files in 'workfolder'.

linux_nerd · 02-25-2019, 02:21 PM

Cool, thanks for the ideas! I think this is how im going to do it.
create a .dontremove file as suggested above and then I will make the .file immutable which should cause rm to bail because the directory is not empty and the file cant be removed.

scasey · 02-25-2019, 04:15 PM

Quote:

Originally Posted by linux_nerd

Cool, thanks for the ideas! I think this is how im going to do it.
create a .dontremove file as suggested above and then I will make the .file immutable which should cause rm to bail because the directory is not empty and the file cant be removed.

You're welcome. That should do it. I learned about chattr in this thread...very interesting.

I note only root can set the immutable attribute. Of course, even without using chattr, were the file owned by root, no one else could remove it either.

rknichols · 02-25-2019, 09:56 PM

Quote:

Originally Posted by scasey

Of course, even without using chattr, were the file owned by root, no one else could remove it either.

You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.

scasey · 02-26-2019, 12:45 AM

Quote:

Originally Posted by rknichols

You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.

I did not know that! Yes, I should have. One of the challenges of working as root most of the time...besides being dangerous, it can make one ignorant

Thanks for the correction.

crts · 02-26-2019, 01:00 AM

Quote:

Originally Posted by rknichols

You've been around here long enough to know better than that. Absent the "immutable" attribute, all you need is write and execute permission on the directory in order to remove any file therein. That message from rm that a file is write protected is just a helpful suggestion, and you just need to respond "y" to proceed.

You could utilize the sticky bit to avoid deleting files from other users:

Code:

# mkdir workfolder # all commands as root
# chgrp <usergroup> workfolder
# chmod 1775 workfolder
# touch workfolder/lockfile
# chmod g+w workfolder/lockfile # even the same group cannot delete the file, only the user

The sticky bit (at least in linux) lets you create files in workfolder but prohibits you from deleting files that you do not own; unless you are root. The sticky bit - in contrast to chattr - does not prohibit root from doing "damage".
If none of the users have root privileges then this might also be a suitable "lockfile" solution that does not require chattr. Depending on how the filesystem was created, chattr may not always be available.

PS:
I only changed the group to the user's group for demonstration purposes only. If you want a "lockfile" solution then its group should probably stay root.

rknichols · 02-26-2019, 08:44 AM

Quote:

Originally Posted by crts

You could utilize the sticky bit to avoid deleting files from other users:

Code:

# mkdir workfolder # all commands as root
# chgrp <usergroup> workfolder
# chmod 1775 workfolder
# touch workfolder/lockfile
# chmod g+w workfolder/lockfile # even the same group cannot delete the file, only the user

The sticky bit (at least in linux) lets you create files in workfolder but prohibits you from deleting files that you do not own; unless you are root. The sticky bit - in contrast to chattr - does not prohibit root from doing "damage".

Being the owner of the directory is also sufficient to bypass the sticky bit, and the original post in this thread mentioned "people that have deleted their directories."

BW-userx · 02-26-2019, 08:53 AM

what directories are they, the standard ones, Documents, Music, etc, or ones they have created themselves? You could perhaps create a script the takes a "snap shot" of what dirs they have, then upon logging in to there account check them the if not there re-created them. it could get a bit hairy if they delete a directory on purpose no longer wanting it though.

don't they have any idea ow to create a dir? A redundant question I m sure. Seeings how you're asking how to make it so they cannot delete the directories.

Yet, if they can delete them, then they have rights to create directories too. Maybe a short training session for the "employees" to teach them some basics they need to know. So they can fix what they screwed up.

crts · 02-26-2019, 09:49 AM

I am not sure how this

Quote:

Originally Posted by rknichols

Being the owner of the directory is also sufficient to bypass the sticky bit ...

relates to my "sticky-bit" solution. I explicitly posted that the commands need to be issued by root, thus the folder is created and owned by root and not the user. Notice, that I only change the group to the user's group but not ownership. If the folder exists already then, of course, the first step needs to be omitted and instead of chgrp

Code:

# chown 0:<usergroup> workfolder

needs to be issued. In any case, the resulting permissions/ownerships are:

Code:

# ls -ld workfolder
drwxrwxr-t 2 root <usergroup> 4.0K Feb 26 16:00 workfolder/
# ls -l workfolder
-rw-r--r-- 1 root root 0 Feb 26 16:00 lockfile

The user can neither change ownership nor remove the sticky-bit.

Since all solutions require root intervention and result in the user losing control over the directory, I see no reason why the folder should not be owned by root.

Please elaborate if I am missing something.

MasterCATZ · 12-31-2019, 08:24 PM

also after something similar

I need to stop the time stamps of the folders being updated when files are changed inside the folder

if I do immutable "chattr -i" , this is also stopping files / folders inside from being created even if I "chmod 777 -R" the folder

The Folders contain symlinked files inside with another program adding other additional files / doing updates

I need the Folders timestamps to permanently stay the same as creation date and not change to last modified date

folders show they should allow contents to be changed
ls "drwxrwxrwx"
but permission is denied
lsattr ----i---------------