How to give permissions to read write but not delete the file
Clash Royale CLAN TAG#URR8PPP
up vote
8
down vote
favorite
I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :
I have user manager with directory repository
I have user worker1 that need to write files to /manager/repository but can't delete the files
I have user worker2 that need to write files to /manager/repository but can't delete the files
I have user worker3 that need to write files to /manager/repository but can't delete the files
but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.
I tried few chown and chmod tricks with applying the sticky bit without success.
files permissions
edited Sep 7 '16 at 10:59
fd0
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
add a comment |Â
up vote
8
down vote
favorite
I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :
I have user manager with directory repository
I have user worker1 that need to write files to /manager/repository but can't delete the files
I have user worker2 that need to write files to /manager/repository but can't delete the files
I have user worker3 that need to write files to /manager/repository but can't delete the files
but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.
I tried few chown and chmod tricks with applying the sticky bit without success.
files permissions
edited Sep 7 '16 at 10:59
fd0
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
1
Do theworker*users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give theworkergroupsudopermission to run the executable asmanager. Then the executable would create logs as themanageruser that could be readable by the workers.
– Centimane
Sep 7 '16 at 18:19
add a comment |Â
up vote
8
down vote
favorite
up vote
8
down vote
favorite
I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :
I have user manager with directory repository
I have user worker1 that need to write files to /manager/repository but can't delete the files
I have user worker2 that need to write files to /manager/repository but can't delete the files
I have user worker3 that need to write files to /manager/repository but can't delete the files
but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.
I tried few chown and chmod tricks with applying the sticky bit without success.
files permissions
edited Sep 7 '16 at 10:59
fd0
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :
I have user manager with directory repository
I have user worker1 that need to write files to /manager/repository but can't delete the files
I have user worker2 that need to write files to /manager/repository but can't delete the files
I have user worker3 that need to write files to /manager/repository but can't delete the files
but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.
I tried few chown and chmod tricks with applying the sticky bit without success.
files permissions
files permissions
edited Sep 7 '16 at 10:59
fd0
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
edited Sep 7 '16 at 10:59
fd0
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
edited Sep 7 '16 at 10:59
fd0
1,1221510
edited Sep 7 '16 at 10:59
fd0
1,1221510
edited Sep 7 '16 at 10:59
fd0
1,1221510
1,1221510
asked Sep 7 '16 at 8:50
user63898
14115
asked Sep 7 '16 at 8:50
user63898
14115
asked Sep 7 '16 at 8:50
user63898
14115
14115
1
Do theworker*users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give theworkergroupsudopermission to run the executable asmanager. Then the executable would create logs as themanageruser that could be readable by the workers.
– Centimane
Sep 7 '16 at 18:19
add a comment |Â
1
Do theworker*users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give theworkergroupsudopermission to run the executable asmanager. Then the executable would create logs as themanageruser that could be readable by the workers.
– Centimane
Sep 7 '16 at 18:19
1
1
Do the
worker* users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give the worker group sudo permission to run the executable as manager. Then the executable would create logs as the manager user that could be readable by the workers.– Centimane
Sep 7 '16 at 18:19
Do the
worker* users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give the worker group sudo permission to run the executable as manager. Then the executable would create logs as the manager user that could be readable by the workers.– Centimane
Sep 7 '16 at 18:19
add a comment |Â
4 Answers
4
active
oldest
votes
up vote
4
down vote
First of all make sure ACL is enabled in your system, then run this command
setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:---
/manager/repository
How it works
This command will give give read, write and execute permissions for the owner on the directory
/manager/repository. It will revoke all permissions forworker1,worker2andworker3.This will give other users, read & write access but will deny the delete access.
From man setfacl:
-d, --default
All operations apply to the Default ACL.
-R, --recursive
Apply operations to all files and directories recursively.
-m, --modify
Options to modify the ACL of a file or directory.
answered Sep 7 '16 at 9:31
Rahul
8,56612841
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
wouldn't this still allow someone to write an empty file here? Likeecho " " > $filewould clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
– Centimane
Sep 7 '16 at 18:14
 |Â
show 3 more comments
up vote
4
down vote
Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.
Note that it is not possible to permit creation of files but to deny their deletion.
answered Sep 7 '16 at 11:10
countermode
5,07841943
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
add a comment |Â
up vote
2
down vote
To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:
mkdir testdir
chown manager:worker-group testdir
chmod 775 testdir
setfacl -m group@:D::deny testdir
To explicitly deny the delete_child permission to members of the worker-group group.
However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:
$ touch file
$ rm -f file
rm: file: Operation not permitted
$ setfacl -m owner@:d::allow file
$ rm -f file
$
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
add a comment |Â
up vote
0
down vote
To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.
chmod 755 /manager/repository
edited Aug 21 at 5:18
slm♦
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
add a comment |Â
4 Answers
4
active
oldest
votes
4 Answers
4
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
4
down vote
First of all make sure ACL is enabled in your system, then run this command
setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:---
/manager/repository
How it works
This command will give give read, write and execute permissions for the owner on the directory
/manager/repository. It will revoke all permissions forworker1,worker2andworker3.This will give other users, read & write access but will deny the delete access.
From man setfacl:
-d, --default
All operations apply to the Default ACL.
-R, --recursive
Apply operations to all files and directories recursively.
-m, --modify
Options to modify the ACL of a file or directory.
answered Sep 7 '16 at 9:31
Rahul
8,56612841
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
wouldn't this still allow someone to write an empty file here? Likeecho " " > $filewould clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
– Centimane
Sep 7 '16 at 18:14
 |Â
show 3 more comments
up vote
4
down vote
First of all make sure ACL is enabled in your system, then run this command
setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:---
/manager/repository
How it works
This command will give give read, write and execute permissions for the owner on the directory
/manager/repository. It will revoke all permissions forworker1,worker2andworker3.This will give other users, read & write access but will deny the delete access.
From man setfacl:
-d, --default
All operations apply to the Default ACL.
-R, --recursive
Apply operations to all files and directories recursively.
-m, --modify
Options to modify the ACL of a file or directory.
answered Sep 7 '16 at 9:31
Rahul
8,56612841
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
wouldn't this still allow someone to write an empty file here? Likeecho " " > $filewould clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
– Centimane
Sep 7 '16 at 18:14
 |Â
show 3 more comments
up vote
4
down vote
up vote
4
down vote
First of all make sure ACL is enabled in your system, then run this command
setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:---
/manager/repository
How it works
This command will give give read, write and execute permissions for the owner on the directory
/manager/repository. It will revoke all permissions forworker1,worker2andworker3.This will give other users, read & write access but will deny the delete access.
From man setfacl:
-d, --default
All operations apply to the Default ACL.
-R, --recursive
Apply operations to all files and directories recursively.
-m, --modify
Options to modify the ACL of a file or directory.
answered Sep 7 '16 at 9:31
Rahul
8,56612841
First of all make sure ACL is enabled in your system, then run this command
setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:---
/manager/repository
How it works
This command will give give read, write and execute permissions for the owner on the directory
/manager/repository. It will revoke all permissions forworker1,worker2andworker3.This will give other users, read & write access but will deny the delete access.
From man setfacl:
-d, --default
All operations apply to the Default ACL.
-R, --recursive
Apply operations to all files and directories recursively.
-m, --modify
Options to modify the ACL of a file or directory.
answered Sep 7 '16 at 9:31
Rahul
8,56612841
edited Sep 7 '16 at 9:37
answered Sep 7 '16 at 9:31
Rahul
8,56612841
answered Sep 7 '16 at 9:31
Rahul
8,56612841
answered Sep 7 '16 at 9:31
Rahul
8,56612841
8,56612841
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
wouldn't this still allow someone to write an empty file here? Likeecho " " > $filewould clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
– Centimane
Sep 7 '16 at 18:14
 |Â
show 3 more comments
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
wouldn't this still allow someone to write an empty file here? Likeecho " " > $filewould clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
– Centimane
Sep 7 '16 at 18:14
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
– user63898
Sep 7 '16 at 9:55
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 10:21
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
– user63898
Sep 7 '16 at 10:48
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
– user63898
Sep 7 '16 at 11:03
4
4
wouldn't this still allow someone to write an empty file here? Like
echo " " > $file would clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.– Centimane
Sep 7 '16 at 18:14
wouldn't this still allow someone to write an empty file here? Like
echo " " > $file would clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.– Centimane
Sep 7 '16 at 18:14
 |Â
show 3 more comments
up vote
4
down vote
Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.
Note that it is not possible to permit creation of files but to deny their deletion.
answered Sep 7 '16 at 11:10
countermode
5,07841943
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
add a comment |Â
up vote
4
down vote
Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.
Note that it is not possible to permit creation of files but to deny their deletion.
answered Sep 7 '16 at 11:10
countermode
5,07841943
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
add a comment |Â
up vote
4
down vote
up vote
4
down vote
Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.
Note that it is not possible to permit creation of files but to deny their deletion.
answered Sep 7 '16 at 11:10
countermode
5,07841943
Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.
Note that it is not possible to permit creation of files but to deny their deletion.
answered Sep 7 '16 at 11:10
countermode
5,07841943
answered Sep 7 '16 at 11:10
countermode
5,07841943
answered Sep 7 '16 at 11:10
countermode
5,07841943
answered Sep 7 '16 at 11:10
countermode
5,07841943
5,07841943
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
add a comment |Â
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
how can remove the write permission as the file will be writen all the time it is log file
– user63898
Sep 7 '16 at 11:24
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
– Stéphane Chazelas
Sep 7 '16 at 12:14
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
@user63898 you remove write permissions from the directory the file 's in, not from the file itself.
– GnP
Sep 7 '16 at 12:30
add a comment |Â
up vote
2
down vote
To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:
mkdir testdir
chown manager:worker-group testdir
chmod 775 testdir
setfacl -m group@:D::deny testdir
To explicitly deny the delete_child permission to members of the worker-group group.
However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:
$ touch file
$ rm -f file
rm: file: Operation not permitted
$ setfacl -m owner@:d::allow file
$ rm -f file
$
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
add a comment |Â
up vote
2
down vote
To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:
mkdir testdir
chown manager:worker-group testdir
chmod 775 testdir
setfacl -m group@:D::deny testdir
To explicitly deny the delete_child permission to members of the worker-group group.
However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:
$ touch file
$ rm -f file
rm: file: Operation not permitted
$ setfacl -m owner@:d::allow file
$ rm -f file
$
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
add a comment |Â
up vote
2
down vote
up vote
2
down vote
To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:
mkdir testdir
chown manager:worker-group testdir
chmod 775 testdir
setfacl -m group@:D::deny testdir
To explicitly deny the delete_child permission to members of the worker-group group.
However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:
$ touch file
$ rm -f file
rm: file: Operation not permitted
$ setfacl -m owner@:d::allow file
$ rm -f file
$
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:
mkdir testdir
chown manager:worker-group testdir
chmod 775 testdir
setfacl -m group@:D::deny testdir
To explicitly deny the delete_child permission to members of the worker-group group.
However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:
$ touch file
$ rm -f file
rm: file: Operation not permitted
$ setfacl -m owner@:d::allow file
$ rm -f file
$
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
edited Sep 7 '16 at 21:03
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
answered Sep 7 '16 at 14:16
Stéphane Chazelas
285k53525864
285k53525864
add a comment |Â
add a comment |Â
up vote
0
down vote
To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.
chmod 755 /manager/repository
edited Aug 21 at 5:18
slm♦
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
add a comment |Â
up vote
0
down vote
To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.
chmod 755 /manager/repository
edited Aug 21 at 5:18
slm♦
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
add a comment |Â
up vote
0
down vote
up vote
0
down vote
To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.
chmod 755 /manager/repository
edited Aug 21 at 5:18
slm♦
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.
chmod 755 /manager/repository
edited Aug 21 at 5:18
slm♦
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
edited Aug 21 at 5:18
slm♦
238k65493664
edited Aug 21 at 5:18
slm♦
238k65493664
edited Aug 21 at 5:18
slm♦
238k65493664
238k65493664
answered Aug 21 at 4:57
Josef Klimuk
1011
answered Aug 21 at 4:57
Josef Klimuk
1011
answered Aug 21 at 4:57
Josef Klimuk
1011
1011
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f308375%2fhow-to-give-permissions-to-read-write-but-not-delete-the-file%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
1
Do the
worker*users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give theworkergroupsudopermission to run the executable asmanager. Then the executable would create logs as themanageruser that could be readable by the workers.– Centimane
Sep 7 '16 at 18:19