Linux - SoftwareThis forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'd like the users to have write only permissions is a directory, meaning that they can write anything there, but once they put it there only root can delete or edit it and anyone can read it. Is it possible? I suppose by default it's not possible, but do you know any way to to this?
I'd like the users to have write only permissions is a directory, meaning that they can write anything there, but once they put it there only root can delete or edit it and anyone can read it. Is it possible? I suppose by default it's not possible, but do you know any way to to this?
If someone can write a file then they own it and can delete it
the only way to stop the owner deleting a file is to make its permissions read only, but as you want the owner to write a file
then try:
chmod 644 myfile
in other words the owner can read and write
everyone else can read the file and of course root can edit or delete
Still, if I change the permissions of the file the owner would still be able to delete/change it, and I don't want to allow this. So, I thought about this solution: write a script that every 5 minutes (or someting like this) checks if there are some new files in my folder. If so, change the owner to root and all the other users could only read it. The users are able to write anything in that folder because I give them write permissions in the folder.
The question is: is there any easier and practical approach for this? If I check for new files too often, I think that script would take some resources, but if I don't I allow other users to delete what the owner wrote there before I change the permissions (if the owner forgets to set the file permissions) or I allow the owner to delete his own files (which I don't want to allow either).
I hope the question is more clear now... Thank you.
change the owner to root and all the other users could only read it. The users are able to write anything in that folder because I give them write permissions in the folder.
This creates a HUGE security hole on your system. Your script would have to ensure that the suid bits for both user and group are off.
Otherwise:
User writes script, changes permissions to 6755 (-rwsr-sr-x)
User copies script to public directory, your script changes ownership to root.
User runs script, which will run with root priveleges because of the permissions.
The safest and easiest thing, IMHO, would be to stick with a simple public directory.
If you really need to keep users from editing or deleting their own files from a publicly accessible directory, I would recommend:
Don't make the directory public. Make it owned and writable by root, and only readable/executable by others.
Write a script which performs the necessary moving and changing of ownership and permissions for ONE FILE (ensuring that all suid bits are off). Give other users permission to use sudo to execute this one script as root without password.
This would ensure that users can move files into this directory, but cannot remove or edit them from that point forward, without grave security risk.
This creates a HUGE security hole on your system. Your script would have to ensure that the suid bits for both user and group are off.
...
Write a script which performs the necessary moving and changing of ownership and permissions for ONE FILE (ensuring that all suid bits are off). Give other users permission to use sudo to execute this one script as root without password.
Oh man, you do have a point. I never thought about this. One question though: why is it that important for my script to move ONE FILE, like you said? I think it is secure to allow them to copy there one whole folder if I check recursively for every file not to have suid. Is this right? Thanks a bunch for your reply.
Yeah... thanks. I just thought you meant something I didn't understand. I like scripting and it's not big deal to check recursively for every file inside the folder. Thanks again.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.