4 Replies Latest reply: Mar 13, 2013 9:24 AM by Andrew Watkins RSS

    Solaris 11 ACL. protect a directory from being deleted

    Andrew Watkins
      Running Solaris 11 and would like to STOP users deleting there web directory ($HOME/public_html), but i want them to create, edit and delete files under that directory.

      I thought the correct solution would be to have normal permissions but add a deny for delete, but it does not work.

      Any ideas?

      <pre>
      # ls -ldV /home/andrew/public_html
      drwx--x--x+ 2 andrew staff 2 May 29 17:06 /home/andrew/public_html
      user:andrew:----d------Co-:-------:deny
      owner@:----d------Co-:-------:deny
      group:staff:--x---a-R-c--s:fd-----:allow
      user:andrew:rwxp--aARWc--s:fd-----:allow
      owner@:rwxp--aARWc--s:fd-----:allow
      group@:--x---a-R-c--s:fd-----:allow
      everyone@:--x---a-R-c--s:fd-----:allow

      # $ ls -ldv /home/andrew/public_html
      drwx--x--x+ 2 andrew staff 2 May 29 17:06 /home/andrew/public_html
      0:user:andrew:delete/write_acl/write_owner:deny
      1:owner@:delete/write_acl/write_owner:deny
      2:group:staff:read_xattr/execute/read_attributes/read_acl/synchronize
      :file_inherit/dir_inherit:allow
      3:user:andrew:list_directory/read_data/add_file/write_data
      /add_subdirectory/append_data/read_xattr/write_xattr/execute
      /read_attributes/write_attributes/read_acl/synchronize
      :file_inherit/dir_inherit:allow
      4:owner@:list_directory/read_data/add_file/write_data/add_subdirectory
      /append_data/read_xattr/write_xattr/execute/read_attributes
      /write_attributes/read_acl/synchronize:file_inherit/dir_inherit
      :allow
      5:group@:read_xattr/execute/read_attributes/read_acl/synchronize
      :file_inherit/dir_inherit:allow
      6:everyone@:read_xattr/execute/read_attributes/read_acl/synchronize
      :file_inherit/dir_inherit:allow
      </pre>
        • 1. Re: Solaris 11 ACL. protect a directory from being deleted
          bobthesungeek76036
          The problem is that "public_html" is an object under "/home/andrew". All the ACLs in the world set on "public_html" won't stop it from being deleted. Deleting "public_html" is not modifying "/home/andrew/public_html", it is modifying "/home/andrew".
          • 2. Re: Solaris 11 ACL. protect a directory from being deleted
            Andrew Watkins
            I thought you would say that and I thought about changing the owner of the directory, but as you say if the user has full access in /home/andrew then there is no way of protecting a directory inside..

            Never mind, just need to get the stick out to remind users not to delete there webserver space.

            Thanks,

            Andrew
            • 3. Re: Solaris 11 ACL. protect a directory from being deleted
              Cindys-Oracle
              Hi--
              I thought the correct solution would be to have normal permissions but add a deny for delete, but it does not work.
              Try setting the delete_child permission to deny, rather than just denying the delete permission.

              Let us know the results.

              Thanks,

              Cindy
              • 4. Re: Solaris 11 ACL. protect a directory from being deleted
                Andrew Watkins
                Finally found a solution to this one, so thought I would post the results.

                Problem: STOP users deleting there web directory ($HOME/public_html), but i want them to create, edit and delete files under that directory.

                He is the final ACL for the directories, which seems to solve this problem. Notes:

                1) Change owner of $HOME to some other user
                2) make USER have most rights to the directory
                3) deny USER all delete rights. delete_child and delete. I thought I could use just delete_child but that did not work.

                <pre>
                # ls -ldV /home/wstudent
                drwx--x--x+ 6 bin bin 16 Mar 13 13:41 /home/wstudent
                user:wstudent:----dD--------:-------:deny
                group:MScComp2012pt:--x---a-R-c--s:fd-----:allow
                user:wstudent:rwxp--aARWc--s:fd-----:allow
                owner@:rwxpdDaARWcCos:fd-----:allow
                group@:--x---a-R-c--s:fd-----:allow
                everyone@:--x---a-R-c--s:fd-----:allow
                </pre>

                4) Change owner of public_html to some other user
                5) Give USER most rights to directory except delete
                6) Deny USER delete rights.

                <pre>
                # ls -ldV /home/wstudent/public_html
                drwx--x--x+ 6 bin bin 8 Mar 13 14:02 /home/wstudent/public_html
                user:wstudent:----d---------:-------:deny
                group:MScComp2012pt:--x---a-R-c--s:fd-----:allow
                user:wstudent:rwxp-DaARWcCos:fd-----:allow
                owner@:rwxpdDaARWcCos:fd-----:allow
                group@:--x---a-R-c--s:fd-----:allow
                everyone@:--x---a-R-c--s:fd-----:allow
                </pre>

                This seems to work from Solaris 11 and Windows (Samba).

                Thanks,

                Andrew