permissions on a filesystem
in [General Linux]
|
From: Aragorn on 14 Feb 2010 00:57 On Sunday 14 February 2010 04:29 in comp.os.linux.misc, somebody identifying as AZ Nomad wrote... > On Sun, 14 Feb 2010 00:42:54 +0000 (UTC), Rahul > <nospam(a)nospam.invalid> wrote: > >> Is there a way (under ext3) to set permissions on a dir such that: >> only user can create new files >> but anyone in the group can delete files > > man chmod That's not going to do him any good with regard to his question, because what he's asking is not possible, in my humble opinion - i.e. it /could/ that this is possible via ACLs, but I have no experience in using those. Creating a file and deleting a file are both write operations on the directory in which the file is created/located. The UNIX permissions said does not distinguish between creating an entry and deleting an entry. Both are simply write operations to the directory itself, and thus, anyone who has the right to delete a file from a directory also has the right to create a file in said directory. The opposite can be accomplished by setting the sticky bit. Then everyone can write to the directory, but only the owner of each individual file is able to delete his or her files. And well, root can always delete everything, of course. Like I said, ACLs /might/ offer what he's looking for - I'm insufficiently experienced with those to tell at this point - but the standard UNIX permissions set does not allow for such a scenario. -- *Aragorn* (registered GNU/Linux user #223157)
From: Michael Black on 14 Feb 2010 01:27 On Sun, 14 Feb 2010, Rahul wrote: > Is there a way (under ext3) to set permissions on a dir such that: > > only user can create new files > but anyone in the group can delete files But why? It's easy to imagine files that are created by one person but read by many. It's also easy to imagine situations where a group is working on a file. But I can't imagine any situation where only one person could create files, but everyone could delete them. The deletion is the one that needs the most control, since otherwise someone can delete by accident or maliciously. There's no reason for someone to have a monopoly on creating files when everyone else can delete it as they desire. The later negates the former. Michael
From: Mark Hobley on 14 Feb 2010 05:08 Aragorn <aragorn(a)chatfactory.invalid> wrote: > That's not going to do him any good with regard to his question, because > what he's asking is not possible, in my humble opinion He could achieve it by using a suidexec user on the delete command. But it does seem an odd requirement IMHO. Mark. -- Mark Hobley Linux User: #370818 http://markhobley.yi.org/
From: Aragorn on 14 Feb 2010 06:24 On Sunday 14 February 2010 11:08 in comp.os.linux.misc, somebody identifying as Mark Hobley wrote... > Aragorn <aragorn(a)chatfactory.invalid> wrote: > >> That's not going to do him any good with regard to his question, >> because what he's asking is not possible, in my humble opinion > > He could achieve it by using a suidexec user on the delete command. > But it does seem an odd requirement IMHO. Not to mention a very dangerous one! :-) -- *Aragorn* (registered GNU/Linux user #223157)
From: J G Miller on 14 Feb 2010 09:27
On Sun, 14 Feb 2010 06:57:35 +0100, Aragorn wrote: > The opposite can be accomplished by setting the sticky bit. Then > everyone can write to the directory, but only the owner of each > individual file is able to delete his or her files. But not if they all have a quota of 0 on the file system containing the directory. (Or perhaps they could only create empty files.) |