0

I have a Unix File System in which I would like to emulate a OS X like Home folder where I have a 'Public' subfolder that is writeable for all but where no Files can be deleted.

I installed ACL on the system and modified the /etc/fstab to mount it with acl rights.

When I now look at the permissions on OS X home folder with ls -le

0 drwxr-xr-x+ 5 cb0 staff 170 17 Nov 23:46 Public
0: group:everyone deny delete

My first question is if there is an equal command on Linux to get this list because the -e option does not exist on Linux Systems.

The next problem is the option group:everyone deny delete, I think this tells ACL on OS X that only the users of the group can delete files in there.

How can I achieve this on a Linux machine ? I cannot add additional information to setfacl, or is there any other command to achieve this ?

Thanks indeed

cb0
  • 222
  • 4
  • 11

2 Answers2

0

The corresponding linux commands are :

  • ls : Any line with a + after permissions has ACLs on it ( rwxrwxrwx+ ).
  • setfacl : Add / Modify ACLs on the file
  • getfacl : Read ACLs on the file

Now, I don't know OSx all that well, but when I read those ACLs I see something different. To me, "group: everyone deny delete" would be a rule that states that members of the "everyone" group are denied the ability to delete files.

On linux, however, there is no such thing as "deny delete". The ability to delete is granted by the ability to write. Therefore, if you want to deny delete you also have to deny write which may not be exactly what you're looking for. Then again, you have to figure that it makes sense ... If I can write to a file, technically there is nothing preventing me from zeroing out the file's contents.

But with such a broad rule that seems to act as a catch all you don't really need ACLs at all. Just set the "other" permissions to r-- ( 0600 ) and users that are neither the owner, nor part of the owning group will be unable to write or execute the file. In your example that would mean anyone that is neither the user cb0 nor part of the group staff.

That being said, if you are interested in more indept information on ACLs and their respective commands, I would suggest you take a moment to carefully read through the POSIX Access Controls document : http://www.suse.de/~agruen/acl/linux-acls/online/

jonathanserafini
  • 1,768
  • 14
  • 20
  • Thanks very much, now I really think I don't need ACL at all to do it. To emulate the don't delete feature I'll just remove the write permission, thanks for the hint – cb0 Feb 17 '10 at 14:41
  • On Linux (POSIX) you can actually separate the 'delete a file' and 'write to a file' permissions. The ability to delete a file is controlled by the directory permissions and the ability to write to a file is controlled by the file permissions. – MikeyB Feb 17 '10 at 15:07
  • MikeyB, though technically correct, that should probably rephrased as : The ability to write a file is controlled by the directory permissions. The ability to delete a file is controlled by the directory permissions. The ability to modify / append to a file is controlled by the file permissions. ex.: Attempting to create a file in a directory you have no write permissions on will fail. – jonathanserafini Feb 18 '10 at 00:30
0

You probably need to set the sticky bit on "others" on the dir.

E.g. chmod o+t

This allows the owner of a file to delete it, but no-one else (except of course privileged users).

As far as I know on a unix file system its nit possible to prevent a file's owner deleting it (without changing the containing dirs perms after the file was created).

delerious010: FYI OSX has additional ACLs grafted into its file system permisiiong model not available on most unix file systems.

Jason Tan
  • 2,752
  • 2
  • 17
  • 24