This is what I want for a specific directory:
My practical use case was an ftp+web server where I wanted users to upload and create directories all they want, but protect a readme.txt in the root and a pre-made sample in the demo directory.
First of all, removing write permissions and thereby blocking any updates is easy. That follows what I consider normal logic. By setting myself as owner and removing write permission for others, that was no problem. However, to my surprise, the user could still delete the now write-protected file and directory!
The problem is that on Linux, if you have write permissions to the directory where the files reside (or owns the directory), you always have permission to delete anything in there, regardless of anything else. And you need to give the user write permissions to the directory in order for them to create new files and update the files they have created.
There are two things you need to do besides setting the right permissions of the actual file or directory that you want to protect. Make sure that you:
So let’s make a few assumptions in order to show you the commands:
Having changed to the directory in question, I do the following as root:
chmod 1775 .
chown mikael:www-data .
chown mikael:www-data readme.txt
Note that the “1” in the chmod command is what sets the sticky bit.
With the user having uploaded an image and created a directory named “test”, a listing should look like this:
drwxrwxr-t 3 mikael www-data 4096 2011-11-16 04:43 . drwxrwxr-x 5 mikael mikael 4096 2011-11-08 16:13 .. -rw-r--r-- 1 www-data www-data 79383 2011-11-16 03:51 logo.jpg -rw-r--r-- 1 mikael www-data 15 2011-11-16 04:11 readme.txt drwx---r-x 2 www-data www-data 4096 2011-11-15 17:55 test
This works just the way I want. The ftp server runs as user “www-data” and the users logging in can upload files and create directories all they want but they can’t delete “readme.txt”.
I was looking at installing and configure ACLs on Linux (Access Control Lists) to solve the problem, but since this works I didn’t have to do that.