Linux – How to set the default user in Linux for file creation

acllinux

I want to create a directory, for example:

/public/all

But I want it so that if you create a file in all, the owner is root, but anyone with access to the /public/all folder can delete/edit/etc the file, just not change the permissions. (I will use a self-created "setx" application to change the execute value if needed.)

Reason for this, I don't want you to be able to deny other users write/read access to files in /public/all. I heard setuid on directories doesn't work for that.

Best Answer

You cannot do this; the initial owner is always the object's creator.

What you can do is set the default ACLs to automatically allow read/write to everyone:

setfacl -m default:u::rwx,default:g::rwx,default:o::rwx /public/all

Also optionally set a default group:

chown :nobody /public/all
chmod g+s /public/all

However, none of these will prevent the owner from changing the permissions later.

An alternative solution is to monitor the directory with inotify (using incron) and automatically run chown on creation. Put this to incrontab:

/public/all IN_CREATE chown nobody:nobody $@/$#; chmod 0666 $@/$#

Related Solutions

Linux – Why do you need execute permission on the parent directory to rename a file

The meaning of execute permission for a directory is the ability to look up file names inside that directory. Of course, successfully looking up a file name produces a reference to an inode number, but the execute permission has nothing to do with inodes per se.

Without execute permission on the directory, you can't stat, open, rename, delete, or descend into subdirectories inside that directory. The only thing you can do is see the list of which filenames exist, and then only if you have read permission (and read but not execute is a strange set of permissions to have for a directory).

Consider if you have rw- on a directory. You know that filename foo exists inside this directory. In order to delete it you need to look it up, and you even need access to the inode (to decrement its link count). For that matter, you need access to the inode in order to tell if it's a directory or not (because if it's a directory, unlink should fail and rmdir should succeed, and the reverse if it's not a directory). But you can't look it up.

How to set default (not inherit) acl permissions on file creation

There is no "default ACL" in NFSv4 ACLs. However, you have a precise control over what is inherited and by what. In particular, you can add ACEs to be inherited by files, and another set that can be inherited by directories. Like this - the first three will apply to directories, the following three - to files. Note that directories will inherit both, but the "file" entries will have the "i" (inherit_only) flag set, so they won't apply to the directory itself - they are there only to be inherited by files in the directories. So, this is the ACL on the parent directory:

        owner@:rwxp----------:-di----:allow
        group@:r-x-----------:-di----:allow
     everyone@:r-x-----------:-di----:allow
        owner@:rw-p----------:f-i----:allow
        group@:r-------------:f-i----:allow
     everyone@:r-------------:f-i----:allow
        owner@:rwxp--aARWcCos:-------:allow
        group@:r-x---a-R-c--s:-------:allow
     everyone@:r-x---a-R-c--s:-------:allow

This is what will be inherited by files (the 'I' flag means the entry was inherited; it didn't exist before FreeBSD 11-CURRENT):

        owner@:rw-p----------:------I:allow
        group@:r-------------:------I:allow
     everyone@:r-------------:------I:allow

This is what will be inherited by directories (the 'i' flag means 'inherit_only' - the ACE is there, but it doesn't affect the actual access permissions for it; it's only to be inherited down):

        owner@:rwxp----------:-d----I:allow
        group@:r-x-----------:-d----I:allow
     everyone@:r-x-----------:-d----I:allow
        owner@:rw-p----------:f-i---I:allow
        group@:r-------------:f-i---I:allow
     everyone@:r-------------:f-i---I:allow

Best Answer

Related Solutions

Linux – Why do you need execute permission on the parent directory to rename a file

How to set default (not inherit) acl permissions on file creation

Related Question