[olug] share a folder rw, but not deletable?

Jay Hannah jay at jays.net
Thu Mar 27 14:04:29 UTC 2003 

Brian Wiese wrote:
> |A user can delete a directory only if they have write permissions to the
> |directory above the directory in question.
> 
> Great, this... 'will work' and I can make it happen, thanks!  I'm really
> starting to realize just how limited a filesystems is without mandatory
> and discretionary access control lists.  It's just an odd thing to keep in
> mind (of several I've discovered) difference between Unix and Windows NTFS
> file systems... where you can give a user "delete" permissions.

Limited? How so? What can't you do? Once you spend a half hour learning
it, Unixy file permissioning is easy. I've never bothered to care about
WinX file permissioning. (I am not an MS admin.)

> Next Q: Anyone know of any good alternative unix filesystems (non ext2/3)
> that have more access control built in?

I applaud your bravery -grin-, but that seems like a lot of work to me.
Again, what can't you do?

Thom Harrison wrote:
> The only possible problem is that the users can't delete any other files in
> aaa either.  Apparently that's not a problem in Brian's case though.

True. Good point. But it's hard for me to think of a real-world case
where that would be a problem.

> Another way to make the directory non-deletable by non-root users is set the
> directory "t" permission and create a file within the directory that is
> owned by root.

Ooo! Sneaky.  :)  Talking about the sticky bit will quickly disprove my
"Unixy file permissioning is easy" assertion above. -grin- 

> The drawback is, of course, that a user has to own any files that they want
> to delete.  ( drawback? guess it depends on the situation ).

In addition to that, I'm afraid that users may still be able to MOVE the
directory in question. I assume Brian wanted to block that too. I messed
around with a bunch of test cases, and whether or not you can move a
sticky bitted directory seems to be a magical combination of directory
and parent directory permissions. If the parent directory is locked
down, you're fine. If not, you could have a problem. But that brings us
away from sticky bits and back to my suggestion of parent directory
control. -grin-

After spending an hour researching when you can and can't move sticky
bitted directories (on the same filesystem or across different
filesystems), I'd be very surprised to find out that Brian needs
something more complicated. Ugh. -laugh-

Cheers,

Jay Hannah
Omaha Perl Mongers: http://omaha.pm.org

More information about the OLUG mailing list