In GNU/Linux, how to restrict deletion of files and directories owned by a user to a super user only?

In GNU/Linux, how can directories be set such that the owner can only add/read files/directories to/from them but only a super user can do any deletion in that structure?

Consider this scenario: You are rsyncing some files and directories you own to a directory. You want to be able to write to that directory (and later, when updating the backup---i.e., rsyncing again---write to all of the subdirectories, too) but you don't want to be able to delete anything in this structure, unless you are a super user.

The restricted deletion flag t in chmod does not help in this situation, because it restricts deletion by non-owners.

Setting the mode to u=rX,go= for the files and directories (while transferring using rsync) does not help either, because later rsyncing will not be possible unless the w mode bit is added to all of the directories on the receiver before starting the rsync and that will be very time consuming.

Is ACL the way to go here?

Update: Even with ACL I don't see a way to do this.

Omid

Posted 2011-07-04T20:55:52.973

Reputation: 177

Answers

You cannot do that in a standard Linux environment. You may be able to write a rule for SELinux or Tomoyo or whatever, to forbid file deletion, but this will not stop the user from overwriting the file with garbage data or truncating it entirely, whether intentionally or not.

user1686

Posted 2011-07-04T20:55:52.973

Reputation: 283 655

You may somehow do this using sticky bits.

$ mkdir drop_box
$ chmod 777 drop_box
$ chmod u+s,g+s drop_box
$ ls -l
total 4
drwsrwsrwx    2 tclark   authors      4096 Sep 14 10:55 drop_box

Now anyone can move files to this directory but upon creation in drop_box they will become owned by tclark and the group authors. This example also illustrates how you can change multiple levels of permissions with a single command by separating them with a comma. Just like with the other permissions this could have been simplified into one command using the SUID and SGID numeric values (4 and 2 respectively.) Since we are changing both in this case we use 6 as the first value for the chmod command.

$ chmod 6777 drop_box/
$ ls -l
total 4
drwsrwsrwx    2 oracle   users        4096 Sep 14 10:55 drop_box

Totally not sure if this will help you reach your goal, as I cannot think of the proper permissions to give the files and directories for your example to work. I just posted this in case you have nothing else to go on.

Good-luck.

stefgosselin

Posted 2011-07-04T20:55:52.973

Reputation: 438

The point in my question is to not have the owner changed. – Omid – 2011-07-04T21:29:13.927

Check out our good friend chattr. If you're using an ext2/3/4-based FS, you can set the immutable or undeletable bit, and not even root can delete the file until you unset the corresponding bit.

cwawak

Posted 2011-07-04T20:55:52.973

Reputation: 446

The question seems to require that the files remain modifiable (in order to update the backup). – user1686 – 2011-07-05T15:36:11.583

Good catch. chattr may not be the best choice to satisfy all requirements. – cwawak – 2011-07-05T17:27:12.053