What’s the best way to configure shared filesystem directories? (beyond standard unix perms)

I have multiple users on my system. I'd like to have shared directories like music, video. pictures etc. The problems is that I want users to be able to write any new files to any directory, but not be able to delete or modify any files they don't own. With standard unix perms if you can add a file to a directory you can also delete others. I'd also like to make sure all the files in these directories are always readable by the user group.

Can I do this with POSIX ACL's? or do I need something more advanced like SELinux (or other security framework).

example of what I don't want to work.

su - root
mkdir /home/music
chmod 775 /home/music
chgrp users /home/music
su - user1 /home/music
touch /home/music/testfile
ll /home/music/testfile
su - user2
rm /home/music/testfile
ll /home/music

Best Answer

If I understand you correctly you want for your music/video etc. directories the same semantic as for /tmp.

For this, you could put the sticky bit on the directories. To quote from the chmod man-page:

RESTRICTED DELETION FLAG OR STICKY BIT The restricted deletion flag or sticky bit is a single bit, whose interpretation depends on the file type. For directories, it prevents unprivileged users from removing or renaming a file in the directory unless they own the file or the directory; this is called the restricted deletion flag for the directory, and is commonly found on world-writable directories like /tmp.

Best Answer

Related Solutions

Linux Permissions – Prevent Creating Directories but Allow Creating Files

Related Question