Linux – about Linux read/write only permissions

centosfile-permissionslinux

My question looks similar to another thread:
https://stackoverflow.com/questions/869536/linux-directory-permissions-read-write-but-not-delete

Here, I want to create a directory where I can give the permissions like:

A user can create/upload any files.
A user can re-upload and overwrite the files.
A user cannot remove the file anymore.

I am on CentOS 5.5, basic user only.
How can I do that? Or is there any third party software that can be installed to do this?
Or, create a new process which will lock the permissions right after a new file
is uploaded via ssh?

Best Answer

You cannot achieve that, even with ACLs, on Unix-derivative systems.

All else apart, if the user can overwrite the contents of the file, it is equivalent to delete (they can write nothing, leaving an empty file, or they can write junk).

Related Solutions

Linux: prevent SFTP users from deleting FTP’d files even straight after they upload them

Apologies i do not have sufficent reputation here to post all the links inline. I have prepared a gist which preserves them: https://gist.github.com/3590779

There's no way to achieve this with simple permissions. Due to OpenSSH's sftp-server you won't be able to implement the full requirements list but depending on the filesystem the files are being uploaded to, you can leverage [attributes] and [ACLs] to achieve some of your requirements.
Yes, the [sftp-server takes a -u parameter] (you can set this in your [sshd_config] on the Subsystem sftp line) which sets the umask for all uploads.
Yes, you can make use of inotify, one way may be with the [incron] tool although there are many ways to use inotify. Inotify allows you to have the kernel notify a userspace program on a filesystem event you identify, e.g. adding a file to a directory. You can then run a command on this event.

(3 Part 2) An alternative approach that may not be suitable for you is to use something like vsftpd with SSL protected FTP. This allows for encrypted FTP but because vsftpd is a full featured FTP server it provides simple configuration (see the [chown_uploads parameter] in vsftpd.conf) to match your exact needs.
Yes, via the inotify subsystem, you could register a watch for the [IN_CLOSE_WRITE] event.

Linux – Setting Correct Permissions for Uploading Files

Try running:

ps -ef | grep apache

and look at the left-most column corresponding to the Apache server. This is the user that is running Apache, and by inheritance also PHP.

Change ownership of the upload directory to this user and restrict the permissions a bit, e.g. if the web server user was www-data that belongs to the group of the same name (using a sample path of /var/www/uploads):

sudo chown www-data:www-data /var/www/uploads
sudo chmod 755 /var/www/uploads

(or whatever permissions you want in this instance). I use sudo in the example commands — I don't know exactly how the EC2 systems are set up in this regard to get superuser privileges.

If you have already uploaded files/directories, you might want to change ownership and permissions on them as well. To do this, going from 777 to more reasonable permissions, you could run:

sudo chown -R www-data:www-data /var/www/uploads
sudo chmod -R 755 /var/www/uploads
sudo find /var/www/uploads -type f -exec chmod -x {} \;

Don't "blindly" run commands if you do not understand each part of them. Check the man pages if anything is unclear (it should be quite straightforward).

Best Answer

Related Solutions

Linux: prevent SFTP users from deleting FTP’d files even straight after they upload them

Linux – Setting Correct Permissions for Uploading Files

Related Question