This discussion is archived
4 Replies Latest reply: Mar 13, 2013 7:24 AM by qwe25256 RSS

Solaris 11 ACL. protect a directory from being deleted

qwe25256 Newbie
Currently Being Moderated
Running Solaris 11 and would like to STOP users deleting there web directory ($HOME/public_html), but i want them to create, edit and delete files under that directory.

I thought the correct solution would be to have normal permissions but add a deny for delete, but it does not work.

Any ideas?

<pre>
# ls -ldV /home/andrew/public_html
drwx--x--x+ 2 andrew staff 2 May 29 17:06 /home/andrew/public_html
user:andrew:----d------Co-:-------:deny
owner@:----d------Co-:-------:deny
group:staff:--x---a-R-c--s:fd-----:allow
user:andrew:rwxp--aARWc--s:fd-----:allow
owner@:rwxp--aARWc--s:fd-----:allow
group@:--x---a-R-c--s:fd-----:allow
everyone@:--x---a-R-c--s:fd-----:allow

# $ ls -ldv /home/andrew/public_html
drwx--x--x+ 2 andrew staff 2 May 29 17:06 /home/andrew/public_html
0:user:andrew:delete/write_acl/write_owner:deny
1:owner@:delete/write_acl/write_owner:deny
2:group:staff:read_xattr/execute/read_attributes/read_acl/synchronize
:file_inherit/dir_inherit:allow
3:user:andrew:list_directory/read_data/add_file/write_data
/add_subdirectory/append_data/read_xattr/write_xattr/execute
/read_attributes/write_attributes/read_acl/synchronize
:file_inherit/dir_inherit:allow
4:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
/append_data/read_xattr/write_xattr/execute/read_attributes
/write_attributes/read_acl/synchronize:file_inherit/dir_inherit
:allow
5:group@:read_xattr/execute/read_attributes/read_acl/synchronize
:file_inherit/dir_inherit:allow
6:everyone@:read_xattr/execute/read_attributes/read_acl/synchronize
:file_inherit/dir_inherit:allow
</pre>
  • 1. Re: Solaris 11 ACL. protect a directory from being deleted
    bobthesungeek76036 Pro
    Currently Being Moderated
    The problem is that "public_html" is an object under "/home/andrew". All the ACLs in the world set on "public_html" won't stop it from being deleted. Deleting "public_html" is not modifying "/home/andrew/public_html", it is modifying "/home/andrew".
  • 2. Re: Solaris 11 ACL. protect a directory from being deleted
    qwe25256 Newbie
    Currently Being Moderated
    I thought you would say that and I thought about changing the owner of the directory, but as you say if the user has full access in /home/andrew then there is no way of protecting a directory inside..

    Never mind, just need to get the stick out to remind users not to delete there webserver space.

    Thanks,

    Andrew
  • 3. Re: Solaris 11 ACL. protect a directory from being deleted
    cindys Pro
    Currently Being Moderated
    Hi--
    I thought the correct solution would be to have normal permissions but add a deny for delete, but it does not work.
    Try setting the delete_child permission to deny, rather than just denying the delete permission.

    Let us know the results.

    Thanks,

    Cindy
  • 4. Re: Solaris 11 ACL. protect a directory from being deleted
    qwe25256 Newbie
    Currently Being Moderated
    Finally found a solution to this one, so thought I would post the results.

    Problem: STOP users deleting there web directory ($HOME/public_html), but i want them to create, edit and delete files under that directory.

    He is the final ACL for the directories, which seems to solve this problem. Notes:

    1) Change owner of $HOME to some other user
    2) make USER have most rights to the directory
    3) deny USER all delete rights. delete_child and delete. I thought I could use just delete_child but that did not work.

    <pre>
    # ls -ldV /home/wstudent
    drwx--x--x+ 6 bin bin 16 Mar 13 13:41 /home/wstudent
    user:wstudent:----dD--------:-------:deny
    group:MScComp2012pt:--x---a-R-c--s:fd-----:allow
    user:wstudent:rwxp--aARWc--s:fd-----:allow
    owner@:rwxpdDaARWcCos:fd-----:allow
    group@:--x---a-R-c--s:fd-----:allow
    everyone@:--x---a-R-c--s:fd-----:allow
    </pre>

    4) Change owner of public_html to some other user
    5) Give USER most rights to directory except delete
    6) Deny USER delete rights.

    <pre>
    # ls -ldV /home/wstudent/public_html
    drwx--x--x+ 6 bin bin 8 Mar 13 14:02 /home/wstudent/public_html
    user:wstudent:----d---------:-------:deny
    group:MScComp2012pt:--x---a-R-c--s:fd-----:allow
    user:wstudent:rwxp-DaARWcCos:fd-----:allow
    owner@:rwxpdDaARWcCos:fd-----:allow
    group@:--x---a-R-c--s:fd-----:allow
    everyone@:--x---a-R-c--s:fd-----:allow
    </pre>

    This seems to work from Solaris 11 and Windows (Samba).

    Thanks,

    Andrew

Legend

  • Correct Answers - 10 points
  • Helpful Answers - 5 points