Win a copy of Secure Financial Transactions with Ansible, Terraform, and OpenSCAP this week in the Cloud/Virtualization forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Rob Spoor
  • Henry Wong
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh
  • Jj Roberts

Assigning Directory level permissions

 
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Right now, there is a mounted NFS storage on RHEL server at the following location:

mnt/NFS/Data

So I had to request read, write, delete permissions inside Data directory from the server admin.

After getting the permissions, I created three folders viz dev, prod and test inside the Data folder.

So I am the owner of dev, prod and test folders. The way I would like to modify the permissions is as follows:

Scenario 1) No one inside prod and test folders should be able to delete a file and folder including me.

Scenario 2) We should be able to delete files and folders  inside the dev directory.

Questions:

1) For scenario 1, I think I should be able to change the permission for others to read and write inside the prod and test folder since I'm the owner. But what about me? Do I need to ask the server admin to take control of permission so that everyone inside prod and test folders should have same permissions including me?

2) Same I should do for dev folder as well?
 
Marshal
Posts: 72479
315
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You should be able to set your own permissions on that folder including for yourself. Full permission for yourself and read for group only would be 740 (if I haven't got my arithmetic totally up the creek). But what is that about restricting deletion? My write permission on my /home/critchie directory appears on Nautilus/caja as “create/delete files and folders”, so I am not sure how you are going to get create permission without delete. You might need to restrict permissions for everybody and change your own permission temporarily.
 
Saloon Keeper
Posts: 12825
279
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I don't think there's a way to prevent the owner of a file to delete their own file, other than taking away their write permission on the directory the file is in. Of course, this prevents the owner from adding new files to the directory, but if you're not concerned about that you can use this strategy.

To prevent users from deleting files or folders that belong to other users, just set the sticky flag on the directory with +t.

You might have more fine-grained control if you use ACLs or SELinux policies, but I don't have any experience with them, so I can't help you with them.
 
Jack Tauson
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks for your reply. Please find my answers below:

Campbell Ritchie wrote:Full permission for yourself and read for group only would be 740 (if I haven't got my arithmetic totally up the creek).



I was looking at this article for numeric numbers : https://www.cyberciti.biz/faq/unix-linux-bsd-chmod-numeric-permissions-notation-command/

So 740 would mean the following if I understood correctly:

7 - rwx

4 - Read only (r)

0 - Nothing




But what is that about restricting deletion?



Basically, when someone is inside prod or test folder, I don't want anyone to delete anything including me. In the above 740 scenario, I am  having full permission and group has read and write.

However, when someone is inside dev folder, everyone should have access to delete everything.
 
Campbell Ritchie
Marshal
Posts: 72479
315
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jack Tauson wrote:Thanks . . . .

That's a pleasure

In the above 740 scenario, I am  having full permission and group has read and write. . . .

No, 740 means read‑only access for the group. Delete permission would mean write access, and I think you mean 760. That wouldn't grant everyboyd outside the group any permissions.
 
Jack Tauson
Ranch Hand
Posts: 242
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks again. So since 740 means read only access to the group because of number 4. If I understood it correctly, since user has 7 permission, I am the only one with rwx permission, right?

And since I don't want myself to delete the files, I can change it to read and write?

Also, under which permission number, Delete would fall? If I want to assign a group a permission where they should not be able to delete something, I imaging it won't be read and write permission?
 
Campbell Ritchie
Marshal
Posts: 72479
315
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Jack Tauson wrote:Thanks again. . . .

That's a pleasure

I am the only one with rwx permission, right?

If you are the “user”, yes.

. . . I can change it to read and write?

I am sure ?w? permission would allow you to delete the file.

Also, under which permission number, Delete would fall? . . .

?4? or ?5? or ?1?
Please find out about the +t option Stephan mentioned. You can download introductions to the Linux command line from various websites free of charge.
 
Saloon Keeper
Posts: 23441
159
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:I don't think there's a way to prevent the owner of a file to delete their own file, other than taking away their write permission on the directory the file is in.



In straight Linux, I'm pretty sure that being root even overrides root permission restrictions.

However, if selinux is switched on (default in the Red Hat/CentOS/Fedora distros), then that's not a safe assumption, since one of the reasons that selinux was inflicted on an unwary world was to curb root's power.

I should note that there are also very specific selinux settings governing stuff shared via NFS, so it's a good idea to check the [tt]sebool/tt] options in effect.
 
No holds barred. And no bars holed. Except this tiny ad:
SKIP - a book about connecting industrious people with elderly land owners
https://coderanch.com/t/skip-book
reply
    Bookmark Topic Watch Topic
  • New Topic