Linux – How to prevent file owner from changing/deleting their own file? Linux CentOS

access-control-listcentoslinuxpermissions

This is NOT your standard "how do permissions work" question!

I'm thinking the answer will probably involve ACL, but I don't know how exactly.

I've messed around with standard permissions, guid, sticky bit, etc. Doesn't work.

What I want:
User will upload files. User will have ability to change permissions on files to allow execution. But user will not be able to change the contents of file once it's created. And user will not be able to delete the file.

Please help! I've been tearing my hair out for hours!

EDIT:

Thanks for the answers but so far they don't seem to address how to have this work automatically for newly-created files.

Possible solution:

find -mtime -1 -exec chattr +i '{}' \+

2nd possible solution:

inotifywait -m -e create --format %f .

Now I just need to figure out to pipe that to chattr.

Best Answer

You can try to use 'chattr'

Example:

urug@nada.cclan:~$ sudo chattr +i plik.txt 
urug@nada.cclan:~$ rm plik.txt 
rm: remove write-protected regular empty file `plik.txt'? y
rm: cannot remove `plik.txt': Operation not permitted
urug@nada.cclan:~$ chattr -i plik.txt 
chattr: Operation not permitted while setting flags on plik.txt

Related Solutions

Linux File Ownership – How to Inherit File Ownership

POSIX ACLs will let you set inheritable ACLs. If you set the default acl for a directory, this is inherited down the stack as new files are created.

$ sudo mkdir /tmp/acltest
$ ls -ld /tmp/acltest 
drwxr-xr-x 2 root root 4096 2011-01-13 20:39 /tmp/acltest
$ touch /tmp/acltest
touch: setting times of `/tmp/acltest': Permission denied

At this point my user (daniel) can't create files in this directory. I set the default acl for the directory, as well as setting a user acl on the top directory (the default applies to files/directories created in this directory, not to the actual directory itself)

$ sudo setfacl -m d:u:daniel:rwx /tmp/acltest/
$ sudo setfacl -m u:daniel:rwx /tmp/acltest/

And now, I can create a file:

$ touch /tmp/acltest/foo
$ ls -la /tmp/acltest/foo 
-rw-r--r-- 1 daniel daniel 0 2011-01-13 20:41 /tmp/acltest/foo

Additionally, I can do anything I like to files that other users create in this directory:

$ sudo mkdir /tmp/acltest/foo2
$ ls -ld /tmp/acltest/foo2
drwxrwxr-x+ 2 root root 4096 2011-01-13 20:49 /tmp/acltest/foo2
$ sudo touch /tmp/acltest/foo2/bar
$ ls -la /tmp/acltest/foo2/bar 
-rw-rw-r--+ 1 root root 0 2011-01-13 20:43 /tmp/acltest/foo2/bar

Normal unix permissions won't let me touch this, however ACLs say otherwise:

$ getfacl /tmp/acltest/foo2/bar
# file: tmp/acltest/foo2/bar
# owner: root
# group: root
user::rw-
user:daniel:rwx         #effective:rw-
group::r-x          #effective:r--
mask::rw-
other::r--

Note that this file is inside a subdirectory of the /tmp/acltest directory, and so normal unix permissions wouldn't let me do anything with this file.

And indeed, the user daniel can do whatever they like to this file:

$ mv /tmp/acltest/foo2/bar /tmp/acltest/foo2/bar2
$ ls -la /tmp/acltest/foo2/
total 8
drwxrwxr-x+ 2 root root 4096 2011-01-13 20:49 .
drwxrwxr-x+ 3 root root 4096 2011-01-13 20:43 ..
-rw-rw-r--+ 1 root root    0 2011-01-13 20:43 bar2

Note that the default acls will only propagate as new files and directories are created. You'll need to do a recursive set operation once to set everything in place, then after that your default acl will take over.

In order to user acls, you'll need to make sure your filesystem is mounted with the acl option in /etc/fstab.

TL;DR POSIX ACLs will allow you to set sticky user/group permissions that propagate down a filesystem tree.

EDIT: Formatting and mount option

Linux – Setting default file permissions in shared directory using ACL and umask

It turns out that file permissions of rw-rw-r-- (or 644) are adequate for our requirements.

Best Answer

Related Solutions

Linux File Ownership – How to Inherit File Ownership

Linux – Setting default file permissions in shared directory using ACL and umask

Related Topic