I am trying to prevent users from accidentally deleting a certain
folder in a parent folder, while still giving them modify permission
on all other files and folders in the parent folder. But they should
be also able to modify files and folders in this certain folder
Prevent Folder Deletion or inadvertent Drag and Drop with NTFS security
If you want to prevent a specific folder from being deleted or dragged and dropped elsewhere, even if it has elevated implicit permissions, you can set an explicit DENY
to the FOLDER ONLY
for the user account or security group which you want to prevent this action from being performed.
You can complete this folder security lock down using ICACLS with a local path (e.g C:\Path\FolderA\FolderE
) or a UNC path (e.g \\server\share\FolderA\FolderE
).
Example ICACLS syntax to run from an elevated command prompt
ICACLS "\\server\share\FolderA\FolderE" /deny "<UserOrGroupNameToDeny>":(DE)
Permissions Used
/deny user:permission
Explicitly deny the specified user access rights.
This will also remove any explicit grant of the
same permissions to the same user.
perm is a permission mask and can be specified in one of two forms:
a comma-separated list in parentheses of specific rights:
DE - delete
What this does
Running the above with those options in that syntax will set an explicit DENY
to the NTFS DELETE
permission on that FOLDER ONLY
to that specific user account of security group.
You can confirm the deny permissions to the folder for the user account or security group by:
right-click
the folder you've used in the command,
- Select the Security tab,
- In the
Group or user name:
area scroll to or select and highlight
the account or group you've used in the command,
- In the
Permissions for Administrators
area you will see the NTFS permission attributes for Allow
and Deny
- You'll see a check mark in the
DENY
column of the special permissions
row for the account or group you've used in the command
- Select Advanced and go to the Permissions tab
- Check for the
Name
(or Principal
) value that you used in command, for DENY
in the Type
field
- The
Permissions
(or Access
) field should show Delete
and the Apply to
(or Applies to
) will show this folder only
NOTES
Please note that unchecking an ALLOW DELETE attribute is not the same as leaving that in place as-is and then creating a separate NTFS ACL rule for this same security group or user account saying to explicitly DENY the DELETE security.
This solution does NOT disallow DELETE this way
(WRONG)
This solution WILL explicitly DENY DELETE at this level to THIS FOLDER ONLY
(CORRECT)
(CORRECT)
Further Reading and Resources
I don't know why you would need an "untrusted" group if you only have one "guest" (and you should only have one guest, usually). The group "guest" can be used as "untrusted" would. Anyway, I'll try to be brief with an explanation to point you in the right direction:
??? (did I do the above so far correctly???) --I still want other
super users to be able to see guest's files.
Anyone who's logged into the account "root" can do this. Either use su -c "do something"
or sudo do something
. To login as root, use su root
(or just su
as it defaults to root with no args) or sudo -i
(but know that logging in as root is discouraged for novice users).
What's the point of making the "untrusted" group anyway? I don't see
how it changes anything.
Precisely. However, on, say, a fileserver, it can be very useful to have specific groups for specific access purposes. Development and testing environments may benefit from running processes with fewer priviledges, testing untrusted binaries (though jails are better for this). Generally, having an untrusted user can be useful in enterprise, but not for a stock desktop or workstation. There may be plenty more use-cases, so before this digresses, I'll stop at that and leave the rest to your reading.
Revoke the read, write, and execute (rwx) Group and Other rights on
all other home directories: ??? If I do chmod go-rwx /home/*/, then
other sudoers can't even read guest's directories--that's not what I
want!--I just want guest to not be able to read others' directories
No, of course you don't. Revoking g (group) access will mess things up badly in this instance and not achieve your goals (to prevent guest messing with other users' home). Read this short explanation:
The default nature of adding a new user via adduser is:
- New user created with matching primary group id.
- New user receives a home folder, usually /home/USERNAME/ which that user has rwx privileges for.
- By default, no other privileges are given and no supplementary groups are assigned to the user (I hear some configurations do this, but it's not "vanilla" behaviour).
- Therefore, simply creating the user achieves everything you've stated you want to achieve. In other words, start over by deleting the user and home directory of the user and don't change anything until you know what, if anything, needs altering. You can see the account's groups after creating it with
id USER
. Thus you can remove any groups you guest shouldn't be in if your system has odd default behaviour.
I just want guest to not be able to read others' directories
By default, guest can read-only other files. If you want to make files private (visible only to the owner, group, and root), chmod -R o-rwx
their directory. The 'o' means "other" or "world". This flag refers to anyone whose is not the file owner or a member of the group that owns the file (with the exclusion of root who is basically your User-Almighty). 'o-x' is needed to ensure directory listings cannot be made as directories are executable (out of scope)
Take ownership of any directories you want "guest" to have access to.
Note that since we used adduser above, guest already has access to his
"/home/guest" home folder. However, giving user "guest" of other
directories can be done as follows: sudo chown -hR guest
/any/directory/you/want/guest/to/own
No. If you want to share folders, create a new group called "shareful" (that's a joke because you must be "careful") and add all users who will share the directory to this group (usermod -aG shareful myuser
). Then chown the group ownership of said folder to the shareful group (chown -R :shareful /this/path/
) and chmod the permissions so group has rwx (chmod -R g+rwx /this/path
). At this point you'll start wanting to look into umask, but that's out of the scope of this post.
Below is a link to umask info, but first, I think you need to re-read up on on basic *NIX file permissions (the first two links).
File Permissions:
(Wikipedia) https://en.wikipedia.org/wiki/File_system_permissions
(UNIX.com) http://www.unix.com/tips-and-tutorials/19060-unix-file-permissions.html
Linux and umask:
(Unfamiliar source) https://www.cyberciti.biz/tips/understanding-linux-unix-umask-value-usage.html
Hope this clarifies things at least enough to achieve what you want.
Best Answer
Change the permissions of the Home folder...
You need to modify the Home folder's permissions using either:
for chmod
Open a terminal in the home folder and chmod the permissions
for the 'File Permissions' dialog
See this link for more info.