Filesystem ACLs are going to be your best solution here.
You can set a default ACL on directories, and when a file is created in that directory, it inherits the default ACL. You can then set this default ACL to allow access to the files.
For example, if you wanted to grant all users of the group mygroup
read/write access to /var/www
, you can do:
setfacl -R -m group:mygroup:rw /var/www
setfacl -R -d -m group:mygroup:rw /var/www
The first line sets the ACL on all the existing files. The second line sets the default for any new files.
And while I think it's a bad idea, if you really want to allow all users full access to the files:
setfacl -R -m other::rw /var/www
setfacl -R -d -m other::rw /var/www
Note that this will require your filesystem to be mounted with ACL support. If this is not currently the case, you can do so via mount -o remount,acl /var/www
(or whatever the mountpoint is). Then edit your /etc/fstab
and add the acl
option to the appropriate line.
You could use bindfs
like:
$ ls -ld dir
drwxr-xr-t 2 stephane stephane 4096 Aug 12 12:28 dir/
That directory is owned by stephane, with group stephane (stephane being its only member). Also note the t
that prevents users from renaming or removing entries that they don't own.
$ sudo bindfs -u root -p u=rwD,g=r,dg=rwx,o=rD dir dir
We bindfs
dir
over itself with fixed ownership and permissions for files and directories. All files appear owned by root
(though underneath in the real directory they're still owned by stephane).
Directories get drwxrwxr-x root stephane
permissions while other types of files get -rw-r--r-- root stephane
ones.
$ ls -ld dir
drwxrwxr-t 2 root stephane 4096 Aug 12 12:28 dir
Now creating a file works because the directory is writeable:
$ echo test > dir/file
$ ls -ld dir/file
-rw-r--r-- 1 root stephane 5 Aug 12 12:29 dir/file
However it's not possible to do a second write open()
on that file as we don't have permission on it:
$ echo test > dir/file
zsh: permission denied: dir/file
(note that appending is not allowed there (as not part of your initial requirements)).
A limitation: while you can't remove or rename entries in dir
because of the t
bit, new directories that you create in there won't have that t
bit, so you'll be able to rename or delete entries there.
Best Answer
The sticky bit can do more or less what you want. From
man 1 chmod
:That is, the sticky bit's presence on a directory only allows contained files to be renamed or deleted if the user is either the file's owner or the containing directory's owner (or the user is root).
You can apply the sticky bit (which is represented by octal 1000, or
t
) like so: