How to allow a user to create files in a directory but prevent this user from creating and deleting files in the parent directory?
Clash Royale CLAN TAG#URR8PPP
I would like to prevent a user (identified by uid) from creating and deleting files in /tmp
, but allow this user to create files in directory /tmp/hello
, which is owned by this user. How can I achieve that? Only this user should be prevented from creating and deleting files in /tmp
, other users whoever have the appropiate permission shouldn't be prevented. /tmp
is owned by root
.
linux permissions
add a comment |
I would like to prevent a user (identified by uid) from creating and deleting files in /tmp
, but allow this user to create files in directory /tmp/hello
, which is owned by this user. How can I achieve that? Only this user should be prevented from creating and deleting files in /tmp
, other users whoever have the appropiate permission shouldn't be prevented. /tmp
is owned by root
.
linux permissions
2
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under/tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour theTMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?
– Kusalananda♦
Mar 3 at 10:28
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.
– Wang Tianze
Mar 3 at 10:56
add a comment |
I would like to prevent a user (identified by uid) from creating and deleting files in /tmp
, but allow this user to create files in directory /tmp/hello
, which is owned by this user. How can I achieve that? Only this user should be prevented from creating and deleting files in /tmp
, other users whoever have the appropiate permission shouldn't be prevented. /tmp
is owned by root
.
linux permissions
I would like to prevent a user (identified by uid) from creating and deleting files in /tmp
, but allow this user to create files in directory /tmp/hello
, which is owned by this user. How can I achieve that? Only this user should be prevented from creating and deleting files in /tmp
, other users whoever have the appropiate permission shouldn't be prevented. /tmp
is owned by root
.
linux permissions
linux permissions
asked Mar 3 at 10:24
Wang TianzeWang Tianze
31
31
2
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under/tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour theTMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?
– Kusalananda♦
Mar 3 at 10:28
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.
– Wang Tianze
Mar 3 at 10:56
add a comment |
2
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under/tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour theTMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?
– Kusalananda♦
Mar 3 at 10:28
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.
– Wang Tianze
Mar 3 at 10:56
2
2
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under /tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour the TMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?– Kusalananda♦
Mar 3 at 10:28
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under /tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour the TMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?– Kusalananda♦
Mar 3 at 10:28
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in
/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.– Wang Tianze
Mar 3 at 10:56
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in
/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.– Wang Tianze
Mar 3 at 10:56
add a comment |
1 Answer
1
active
oldest
votes
You can do this using file ACLs.
You prevent the user badguy
from creating files in tmp
with:
setfacl -m u:badguy:r-x /tmp
And you can allow it to write to the hello
directory “normally” (allow everyone, chown
the directory to badguy
) or, again, with file ACLS:
setfacl -m u:badguy:rwx /tmp/hello
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504076%2fhow-to-allow-a-user-to-create-files-in-a-directory-but-prevent-this-user-from-cr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
You can do this using file ACLs.
You prevent the user badguy
from creating files in tmp
with:
setfacl -m u:badguy:r-x /tmp
And you can allow it to write to the hello
directory “normally” (allow everyone, chown
the directory to badguy
) or, again, with file ACLS:
setfacl -m u:badguy:rwx /tmp/hello
add a comment |
You can do this using file ACLs.
You prevent the user badguy
from creating files in tmp
with:
setfacl -m u:badguy:r-x /tmp
And you can allow it to write to the hello
directory “normally” (allow everyone, chown
the directory to badguy
) or, again, with file ACLS:
setfacl -m u:badguy:rwx /tmp/hello
add a comment |
You can do this using file ACLs.
You prevent the user badguy
from creating files in tmp
with:
setfacl -m u:badguy:r-x /tmp
And you can allow it to write to the hello
directory “normally” (allow everyone, chown
the directory to badguy
) or, again, with file ACLS:
setfacl -m u:badguy:rwx /tmp/hello
You can do this using file ACLs.
You prevent the user badguy
from creating files in tmp
with:
setfacl -m u:badguy:r-x /tmp
And you can allow it to write to the hello
directory “normally” (allow everyone, chown
the directory to badguy
) or, again, with file ACLS:
setfacl -m u:badguy:rwx /tmp/hello
answered Mar 3 at 10:34
user2233709user2233709
1,098412
1,098412
add a comment |
add a comment |
Thanks for contributing an answer to Unix & Linux Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f504076%2fhow-to-allow-a-user-to-create-files-in-a-directory-but-prevent-this-user-from-cr%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
2
/tmp
is usually a quite special directory in that everyone is allowed to create files and directories in it. Is there a particular reason you'd want to disallow this user from creating files under/tmp
? Does it have to do with the location of temporary files? If so, does the software that you use honour theTMPDIR
environment variable (you would use it to specify another directory to create temporary files in). In short, what is the underlying problem that you are trying to solve?– Kusalananda♦
Mar 3 at 10:28
In fact, I'm running untrusted codes (similar to student's homework) on the system, so I need to make restrictions so that the unstrusted program won't mess up the system. I placed the program in
/tmp/hello
, and I want to make sure this program can only create files in the same directory of the program.– Wang Tianze
Mar 3 at 10:56