Linux: Group permission user have read and write but can't delete each other files

I want to create a shared folder on my Debian server so that users can create and edit files, but not be able to delete each other's files in that directory.

/home/sharedfolder

Users that can read and write files in the map are in a group: work

I tried few permission commands like these, but still not succeeding:

setfacl -dm u::rwx,g::rwx,o::r /shared/directory

How can I achieve what I want?


Classical solution for shared folders is sticky bit, that prevents deleting files of other users. The best example is /tmp dir.

Therefore, set the following ownership:

chown root:work /shared/directory

and permissions:

chmod 3775 /shared/directory

I'd recommend the following POSIX ACL:

setfacl -dm u::rwX,g::rwX,o::rX /shared/directory

Only users of group work can edit newly created files and dirs but can not delete the files of each other.


Explanation for Dipanshu Chaubey after more then 5 years :)

-d – default option for newly created files and folders within /shared/directory. It means that specified default ACL will be applied to all newly created staff within this folder. This option is not applicable to files. You can also specify this option in the form like d:u:admin:rw:

setfacl -m d:u:admin:rw,g::rwX,o::rX /shared/directory

where default option will be applied only for user permissions, but not for group or other’s permissions.

u::rwX – username is omitted here. It means that additional ACLs for a new file or folder will be applied with creator’s ownership (see remark in the end of my explanation). The same is for groups. If the file exists additional ACLs will be applied to owner (or group) of the file. Obviously, others are always followed by to colons.

xsmall x means executable bit for files and expandablity for folders. Normally it is not what you want especially when processing files and folders recursively with –R option.

Xbig X serves two purposes. As for files, it used when you don’t want to set executable bit for existent files if it wasn’t set. If executable bit has always been set then it remains unchanged. For folders it is used only to add x-bit to them.

Also, to clarify things, all newly created files and folders will be seen in your system with user and group permissions of the creator, but IN ADDITION all these staff will bear extra ACLs that are denoted by + sign after permissions in your terminal like this

drwxrwsr-t+ admin admin
-rw-rw-r--+ admin vagrant

So, it is impossible to know what real permissions are there only by glance. You have to use getfacl file command to get all extra ACL information.