Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Linux directory permissions read write but not delete

Is it possible to setup directory permissions such that a group is able to read and write files and subdirectories but not delete anything?

like image 811
CodeLizard Avatar asked May 15 '09 16:05

CodeLizard


People also ask

Does write permission allow delete in Linux?

Well, it would be r-x for this directory. And files in it would have rw-. This is because a file can be written if its permissions allow Write, but it can only be deleted if its directory's permissions allow Write.

Does read/write access allow you to delete?

Read-write: All users that are given access to the share will have R/W privileges (unless specifically assigned Read Only permission). Read-write/Reject delete: This is the same as above, except that users will be prevented from deleting files/folders.

What is the meaning of chmod 777?

Setting 777 permissions to a file or directory means that it will be readable, writable and executable by all users and may pose a huge security risk.

What does chmod 755 do?

When you perform chmod 755 filename command you allow everyone to read and execute the file, the owner is allowed to write to the file as well. So, there should be no permission to everyone else other than the owner to write to the file, 755 permission is required.


1 Answers

It might be enough to set the sticky bit on the directories. Users will be able to delete any files they own, but not those of other users. This may be enough for your use case. On most systems, /tmp is setup this way (/tmp is set 1777)

chmod 1775 /controlled

However, If you want more control, you'll have to enable ACL on the filesystem in question.

In /etc/fstab, append acl to the flags:

/dev/root        /                       ext3    defaults,acl       1 1 

You can then use setfacl/getfacl to control and view acl level permissions.

Example: (Create files, once written, they are read only, but CAN be deleted by owner, but not others.)

setfacl --set u::rwxs,g::rwx /controlled setfacl -d --set u::r-x,g::r-x,o::- /controlled 

You can set a default acl list on a directory that will be used by all files created there.

As others have noted, be careful to specify exactly what you want. You say "write" - but can users overwrite their own files? Can they change existing content, or just append? Once written, it's read only? Perhaps you can specify more detail in the comments.

Lastly, selinux and grsecurity provide even more control, but that's a whole other can of worms. It can be quite involved to setup.

like image 136
jmanning2k Avatar answered Oct 18 '22 08:10

jmanning2k