Linux File Permissions – Allow Owner to Create and Read Files Only

aclfileslinuxpermissions

I would like to give a user permissions to create and read files in a particular directory, but not to modify or delete files. If the user can append to files that is ok, but I'd rather not. This is on Ubuntu Linux.

I think this is impossible with standard Unix file permissions, but perhaps this is possible using ACLs? The user will always be connecting using SFTP, so if there was some way to control this within SFTP (as opposed to OS permissions) that would be fine.

To be absolutely clear, I want the following:

echo hello > test # succeeds, because test doesn't exist, and creation is allowed
echo hello >> test # can succeed or fail, depending on whether appending is allowed
echo hello2 > test # fails, because test already exists, and modification is not allowed
cat test # succeeds, because reads are allowed
rm test # fails, because delete is not allowed

If you're wondering why I want to do this, it's to make a Duplicati backup system resistant to Ransomware.

Best Answer

You could use bindfs like:

$ ls -ld dir
drwxr-xr-t 2 stephane stephane 4096 Aug 12 12:28 dir/

That directory is owned by stephane, with group stephane (stephane being its only member). Also note the t that prevents users from renaming or removing entries that they don't own.

$ sudo bindfs -u root -p u=rwD,g=r,dg=rwx,o=rD dir dir

We bindfs dir over itself with fixed ownership and permissions for files and directories. All files appear owned by root (though underneath in the real directory they're still owned by stephane).

Directories get drwxrwxr-x root stephane permissions while other types of files get -rw-r--r-- root stephane ones.

$ ls -ld dir
drwxrwxr-t   2 root     stephane   4096 Aug 12 12:28 dir

Now creating a file works because the directory is writeable:

$ echo test > dir/file
$ ls -ld dir/file
-rw-r--r-- 1 root stephane 5 Aug 12 12:29 dir/file

However it's not possible to do a second write open() on that file as we don't have permission on it:

$ echo test > dir/file
zsh: permission denied: dir/file

(note that appending is not allowed there (as not part of your initial requirements)).

A limitation: while you can't remove or rename entries in dir because of the t bit, new directories that you create in there won't have that t bit, so you'll be able to rename or delete entries there.

Related Solutions

Linux – did FreeBSD lose the w mask but Debian retained it

In short I’d say (assume) they’re using umask differently.

0022 is exactly group-other unset W. You can change umask to remove write prohibition and check the result.

Citing Solaris aka SunOS manual (and comments as well) since that seems to be pretty related: "… The umask(1) will not be applied if the directory contains default ACL entries. …"

Linux Permissions – Allow All Users to Create Files in Directory but Only Owner Can Delete

The sticky bit can do more or less what you want. From man 1 chmod:

The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp.

That is, the sticky bit's presence on a directory only allows contained files to be renamed or deleted if the user is either the file's owner or the containing directory's owner (or the user is root).

You can apply the sticky bit (which is represented by octal 1000, or t) like so:

# instead of your chmod 755
chmod 1777 directory

# or, to add the bit to an existing directory
chmod o+t directory

Best Answer

Related Solutions

Linux – did FreeBSD lose the w mask but Debian retained it

Linux Permissions – Allow All Users to Create Files in Directory but Only Owner Can Delete

Related Question