2

Sticky bit set for a directory is a mean for "Restricted Deletion" — according to manual:

For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp

The thing is it has rather a very wide scope; only root user is excluded from its scope.

Can you suggest a technique to get "restricted deletion" applied to specific user (or a group of users) only?

poige
  • 130
  • 5
  • 1
    This technique is usually used for temp directories only where restricting it to specific groups or users is not needed. Can you please explain what your original problem is what you are trying to solve and why you want to solve it with a sticky bit instead of the usual file system permissions and ACLs? – Steffen Ullrich Sep 07 '17 at 06:48
  • because you can't emulate "restricted deletion" with Linux ACLs, that's why. If you have given to a user an ability to write to a directory it means he can rename and unlink all the files of this directory, even if they don't belong to that user – poige Sep 07 '17 at 07:29
  • I'm aware that you cannot do what you want with standard permissions or ACL's. With my question for the original problem I've tried instead to get the use case where you need restricted deletion limited to specific users in the first place and if it would not be possible to implement this specific (unknown) use case without the restricted deletion you envision. Or in other words: I've asked for the X inside the [XY problem](https://meta.stackexchange.com/questions/66377/what-is-the-xy-problem). – Steffen Ullrich Sep 07 '17 at 08:54
  • That's the task and it's not discussed. It would be improper place to discuss the task itself. The technical solution is discussed instead. – poige Sep 07 '17 at 09:05
  • 3
    Only, if there is no technical way to implement your "solution" it might be better to take a look back at the actual problem to find a solution which is actually doable. I was just trying to be helpful in solving your original problem since I doubt that it can be solved in the way you want. – Steffen Ullrich Sep 07 '17 at 09:52
  • There's no help needed except technical advices on topic, that's the thing. – poige Sep 07 '17 at 10:26

1 Answers1

0

If everone who needs to remove or rename files can do so via the shell and you don't need arbitrary programs to be able to rename/unlink files then you can combine sudo and the sticky bit for this effect. Set the sticky bit on the directory. Set the directory to be owned by a dedicated user. Grant everyone bar the restricted user the ability to execute rm and mv as the dedicated user via sudo.

William Hay
  • 592
  • 2
  • 10