The goal

This is what I want for a specific directory:

• The user can create new directories and files
• The user can delete directories and files that the user has created (and thereby is owner of)
• The user cannot write to or delete specific pre-existing protected files and directories

My practical use case was an ftp+web server where I wanted users to upload and create directories all they want, but protect a readme.txt in the root and a pre-made sample in the demo directory.

First of all, removing write permissions and thereby blocking any updates is easy. That follows what I consider normal logic. By setting myself as owner and removing write permission for others, that was no problem. However, to my surprise, the user could still delete the now write-protected file and directory!

The problem is that on Linux, if you have write permissions to the directory where the files reside (or owns the directory), you always have permission to delete anything in there, regardless of anything else. And you need to give the user write permissions to the directory in order for them to create new files and update the files they have created.

The solution

There are two things you need to do besides setting the right permissions of the actual file or directory that you want to protect. Make sure that you:

• Set the sticky bit of the directory
• Set the owner of the directory to yourself (or any other higher authority)

So let’s make a few assumptions in order to show you the commands:

• The file to protect in the directory is named “readme.txt”
• The user that should have access to the directory is named “www-data”
• I’m an administrator on the machine and my user name is “mikael”

Having changed to the directory in question, I do the following as root:

chmod 1775 .
chown mikael:www-data .
chown mikael:www-data readme.txt

Note that the “1″ in the chmod command is what sets the sticky bit.

With the user having uploaded an image and created a directory named “test”, a listing should look like this:

drwxrwxr-t 3 mikael   www-data  4096 2011-11-16 04:43 .
drwxrwxr-x 5 mikael   mikael    4096 2011-11-08 16:13 ..
-rw-r--r-- 1 www-data www-data 79383 2011-11-16 03:51 logo.jpg
-rw-r--r-- 1 mikael   www-data    15 2011-11-16 04:11 readme.txt
drwx---r-x 2 www-data www-data  4096 2011-11-15 17:55 test

This works just the way I want. The ftp server runs as user “www-data” and the users logging in can upload files and create directories all they want but they can’t delete “readme.txt”.

I was looking at installing and configure ACLs on Linux (Access Control Lists) to solve the problem, but since this works I didn’t have to do that.