I want to set up a directory where all new files and directories have a certain access mask and also the directories have the sticky bit set (the t
one, which restricts deletion of files inside those directories).
For the first part, my understanding is that I need to set the default ACL for the parent directory. However, new directories do not inherit the t
bit from the parent. Hence, non-owners can delete files in the subdirectories. Can I fix that?
Best Answer
This is a configuration that allows members of a group, acltest, to create and modify group files while disallowing the deletion and renaming of files except by their owner and "others," nothing. Using the username, lev and assuming umask of 022:
Log out of the root account and the lev account. Log in and become root or use sudo:
ACL cannot set the sticky bit, and the sticky bit is not copied to subdirectories. But, you might use inotify or similar software to detect changes in the file system, such as new directories, and then react accordingly.
For example, in Debian:
Then make a script for inotify, like
/usr/local/sbin/set_sticky.sh
.Give it execute permission for root:
chmod 0700 /usr/local/sbin/set_sticky.sh
. Then run it at boot time from, say,/etc/rc.local
or whichever RC file is appropriate:Of course, in this example,
/tmp/acltest
should disappear on reboot. Otherwise, this should work like a charm.