Linux directory permissions read write but not delete

Is it possible to setup directory permissions such that a group is able to read and write files and subdirectories but not delete anything?


Solution 1:

It might be enough to set the sticky bit on the directories. Users will be able to delete any files they own, but not those of other users. This may be enough for your use case. On most systems, /tmp is setup this way (/tmp is set 1777)

chmod 1775 /controlled

However, If you want more control, you'll have to enable ACL on the filesystem in question.

In /etc/fstab, append acl to the flags:

/dev/root        /                       ext3    defaults,acl       1 1

You can then use setfacl/getfacl to control and view acl level permissions.

Example: (Create files, once written, they are read only, but CAN be deleted by owner, but not others.)

setfacl --set u::rwxs,g::rwx /controlled
setfacl -d --set u::r-x,g::r-x,o::- /controlled

You can set a default acl list on a directory that will be used by all files created there.

As others have noted, be careful to specify exactly what you want. You say "write" - but can users overwrite their own files? Can they change existing content, or just append? Once written, it's read only? Perhaps you can specify more detail in the comments.

Lastly, selinux and grsecurity provide even more control, but that's a whole other can of worms. It can be quite involved to setup.

Solution 2:

Well, it would be r-x for this directory.

And files in it would have rw-.

This is because a file can be written if its permissions allow Write, but it can only be deleted if its directory's permissions allow Write.