Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

file/directory permissions...

Status
Not open for further replies.
shadedecho

shadedecho

Programmer
Oct 4, 2002
336
0
0
US
This is a Debian/GNU linux machine, so here's my situation:

I have a /home directory, under which all local users of my system have their own directories.

So, I have a user named John, and so his directory is /home/john.

I set the permissions on the users directory to 2755, so that all files/directories created by the user inside of their own directory automatically inherit the same "group" as their parent.

the user "john" is obviously the owner of the /home/john directory.

Now, what I want is to be able to place a directory inside of John's directory, like /home/john/test, which he can see, access, and read, but NOT write into. Easy enough, simply make the owner (and group) of that "test" directory root, and make the permissions 755 for that directory.

Here's the tricky part. Is there anyway to prevent "john" from being able to rmdir the "test" directory, or mv to rename it?

I would have thought withholding the "write" permission for a directory would prevent it from being deleted or renamed, but apparently the "write" only applies to the contents of the directory.

Obviously, john has got to be the owner of /home/john, so i can't use the sticky bit option on his home directory (since it only denies non-parent-directory owners rename/delete permissions). john also has to be able to write other files in his directory, so i can't simply remove the "write" permission from /home/john.

So, is there any other way to do this?

***********************************************

If I create a "blah" directory, root:root in /home/john, and set its permissions to 1755, and then inside of "blah", put "test", like /home/john/blah/test, then john cannot delete/rename "test". He also cannot delete "blah", even with "rm -rf", because that would be removing test, which he has no permissions to do. But, he can still rename "blah", so it kinda defeats my purpose of sticking a directory in there that is completely read-only. This is a closer option, but still not completely safe for what I want.

How come root can't stick a file or directory somewhere (anywhere in the filesystem) that a non-root user can only read or access, but not delete or modify? Am I missing something? I thought root would be all powerful like this. :)
 
Sort by date Sort by votes
G'day,
I don't know if this is exactly what you want but you might try this.

Create the files you want in /home/john/test (as root or whoever) then do chattr +i /home/john/test

man chattr will reveal all.

This will prevent deleting anything in /home/john/test but allows viewing og the files.

I mucked around just then testing it so it should be OK.

Regards, Dave.
 
Upvote 0 Downvote
i appreciate that suggestion, setting the immutable bit seems like it would be what I want. I should have mentioned in my first post that it's only the USER who shouldn't be able to change the contents of these directories, or the directory name itself... root in fact will be updating the contents frequently.

If setting the immutable bit on a directory would only protect the directory node itself, and not it's contents, then i'd be fine, because as I mentioned before, all the other contents of these directories i've already protected by standard permissions, removing "write", etc. But it appears that the immutable bit makes all the contents of the directory immutable as well, which means i can't use that option.
 
Upvote 0 Downvote
G'day shadedecho,
I've been away for a few days, so a late reply.

I have not really looked in detail at them but have you tried ACL's (access control lists)?

Perhaps do a google on them.

Regards, Dave.
 
Upvote 0 Downvote
yeah, we tried ACL's, they didn't work. :(

It seems like such a simple concept... stick a directory somewhere and make it so not only the contents but also the directory node (name, permissions, etc) itself cannot be changed except by the owner OF THAT DIRECTORY, not just the owner of the directory where that directory resides.

I've got it where I can make the contents protected absolutely, and that I can make it so the directory can't be deleted. But I can't make it so the directory can't be renamed.
 
Upvote 0 Downvote
ericbrunson:

a quote from my original post:

Obviously, john has got to be the owner of /home/john, so i can't use the sticky bit option on his home directory (since it only denies non-parent-directory owners rename/delete permissions).
Click to expand...

The sticky bit set on the "/home/john" directory grants "test" under "/home/john" the protection that only the owner of "test" (in this case, root) AND the owner of the parent directory, which is "john", can change it. So, basically, it doesn't accomplish the job because the desire is to have "john" own his directory, and "root" own a directory inside of "john"s home directory, and have ONLY root be able to modify, not only the contents, but the directory node itself (name, permissions, etc).
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

spamjim
  • Locked
  • Question
Sorting out NTFS filesystem issues
Replies
0
Views
61
spamjim
spamjim
MCP2000
  • Locked
  • Question
CentOS 6.9, LDAP, Vault, Active Directory
Replies
0
Views
47
MCP2000
MCP2000
theniteowl
  • Locked
  • Question
URGENT Permissions issue 1
Replies
6
Views
62
theniteowl
theniteowl
jponnusa
  • Locked
  • Question
Help on Mapping Local Directory for URL
Replies
1
Views
64
SamBones
SamBones
kevinds
  • Locked
  • Question
Help With Per File/Folder Restriction Based on HTTPS Client Certificate's CN
Replies
0
Views
40
kevinds
kevinds

Part and Inventory Search

Sponsor

Back
Top