Linux file permissions to only delete owned files

2011-11-18
Coming from a Windows background, I was surprised to find out that when it comes to Linux file permissions, a user can delete a file that they don't own and have no write permissions to. Well, that is the default behavior if you don't set up your ownership and permissions exactly correct. Find out how here.

The goal

This is what I want for a specific directory:

My practical use case was an ftp+web server where I wanted users to upload and create directories all they want, but protect a readme.txt in the root and a pre-made sample in the demo directory.

First of all, removing write permissions and thereby blocking any updates is easy. That follows what I consider normal logic. By setting myself as owner and removing write permission for others, that was no problem. However, to my surprise, the user could still delete the now write-protected file and directory!

The problem is that on Linux, if you have write permissions to the directory where the files reside (or owns the directory), you always have permission to delete anything in there, regardless of anything else. And you need to give the user write permissions to the directory in order for them to create new files and update the files they have created.

The solution

There are two things you need to do besides setting the right permissions of the actual file or directory that you want to protect. Make sure that you:

So let’s make a few assumptions in order to show you the commands:

Having changed to the directory in question, I do the following as root:

chmod 1775 .
chown mikael:www-data .
chown mikael:www-data readme.txt

Note that the “1” in the chmod command is what sets the sticky bit.

With the user having uploaded an image and created a directory named “test”, a listing should look like this:

drwxrwxr-t 3 mikael   www-data  4096 2011-11-16 04:43 .
drwxrwxr-x 5 mikael   mikael    4096 2011-11-08 16:13 ..
-rw-r--r-- 1 www-data www-data 79383 2011-11-16 03:51 logo.jpg
-rw-r--r-- 1 mikael   www-data    15 2011-11-16 04:11 readme.txt
drwx---r-x 2 www-data www-data  4096 2011-11-15 17:55 test

This works just the way I want. The ftp server runs as user “www-data” and the users logging in can upload files and create directories all they want but they can’t delete “readme.txt”.

I was looking at installing and configure ACLs on Linux (Access Control Lists) to solve the problem, but since this works I didn’t have to do that.

 

One Response to “Linux file permissions to only delete owned files”

  1. Hassaan says:

    This doesn’t work for me. I can delete the file from any user even if that is not the owner of the file

Leave a Reply

Twitter: @mikeplate