Is it possible to make a file that has full permissions for everybody but is impossible to delete?
Without using sudo, preferably?
No, this is not possible. Impossible for normal users to delete a file: sure.
You will need
sudo
to prevent users to delete files. Your administrator will -always- be able to delete a file.sudo chattr +i test
can prevent deletion but does requiressudo
. A simplesudo chattr -i test
makes it possible to remove the file. No other user than admin can usechattr
.
And... simply rebooting and going into rescue mode will allow that person to be able to delete that file. It would be a security risk if there was a method to never be able to delete a file.
It's a little crude, but this is close - if you remove write access on the directory, files inside it can't be deleted. And it doesn't require sudo
if you own it:
=^_^= izkata@izein:~$ mkdir test
=^_^= izkata@izein:~$ touch test/delme
=^_^= izkata@izein:~$ chmod a-w test
=^_^= izkata@izein:~$ echo 'Hello' > test/delme
=^_^= izkata@izein:~$ cat test/delme
Hello
=^_^= izkata@izein:~$ rm test/delme
rm: cannot remove `test/delme': Permission denied
So you can set permissions on the file itself however you want.
Also, as stated by @Rinzwind, there's certainly many ways around it.
To delete a file, you need write permission to all the directories that file is linked to. To unlink it from one directory, you need write permission to that directory.
So as long as you give write permission (or even ownership) to the file but not to the directory or directories that file is linked to, that file can't be deleted.
The best way to achieve it would be to link that file to a directory that is owned by root and that is not writeable by anybody. You could make it owned by you instead which would mean both you and root could delete it.
That would still allow other users to link that file to other directories and unlink it from there thereafter, but they still wouldn't be able to delete the file as they would be able to unlink it from your own directory.
Note that for that to work fully, the writing permission of every path component to the file would have to be controlled. Because for instance if the file is /a/b/the-file
and you have /a/b
not writeable by anybody but everybody has write access to /a
, then they could rename /a/b
to something else and recreate their own /a/b
and create their own /a/b/the-file
there.
Try:
chattr +i filename
Doing this though, will make the file undelete-able even by the root
user - use with caution.