Mdthbs

Why doesn't Iron Man's action affect this person in Endgame?

How could it be that 80% of townspeople were farmers during the Edo period in Japan?

How to handle professionally if colleagues has referred his relative and asking to take easy while taking interview

Wiring a 4 channel relay - is this possible?

How to rename multiple files in a directory at the same time

Why were the bells ignored in S8E5?

How to check if comma list is empty?

Would life always name the light from their sun "white"

What dog breeds survive the apocalypse for generations?

Assembly writer vs compiler

What is the effect of the Feeblemind spell on Ability Score Improvements?

tikz drawing rectangle discretized with triangle lattices and its centroids

Was the dragon prowess intentionally downplayed in S08E04?

Why can't I share a one use code with anyone else?

UUID type for NEWID()

​Cuban​ ​Primes

Does this "yield your space to an ally" rule my 3.5 group uses appear anywhere in the official rules?

Why did the metro bus stop at each railway crossing, despite no warning indicating a train was coming?

Single word that parallels "Recent" when discussing the near future

c++ conditional uni-directional iterator

Could a space colony 1g from the sun work?

Why did Varys remove his rings?

Does the wearer know what items are in which patch in the Robe of Useful items?

Given 0s on Assignments with suspected and dismissed cheating?

How to give permissions to read write but not delete the file

Allowing a user to delete a file but not to read itWhat permissions must be set on a directory to allow one to append data to a file in that directory, but not to remove that file?Give a Root owned folder web read and write accessHow can I prevent some users from deleting files in samba?File permissions to access/create/delete folders for multiple usersHow to give write / create right to not yet existing files w/o write access of the parent directory?How to delete unknown file that doesn't have proper permissionsRemoving a directory (that contains subdirectories) from a directory that has sticky bitprovide read, write, execute permission but can't be deleted by othersGranting user ability to delete a file without giving them write permissions to the directoryMultiple users to access with read/write permissions to the /var/www directory with vsftpd?How do I make a file in a user's home directory uneditable to that user but leave the home directory editable?

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty{ margin-bottom:0;
}

9

2

I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :

I have user manager with directory repository

I have user worker1 that need to write files to /manager/repository but can't delete the files

I have user worker2 that need to write files to /manager/repository but can't delete the files

I have user worker3 that need to write files to /manager/repository but can't delete the files

but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.

I tried few chown and chmod tricks with applying the sticky bit without success.

files permissions

share|improve this question

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Do the worker* users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give the worker group sudo permission to run the executable as manager. Then the executable would create logs as the manager user that could be readable by the workers.
  
  – Centimane
  Sep 7 '16 at 18:19
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the user can modify the file then they can also erase its content, thus effectively "deleting" it. Looks like you need some sort of "submission" interface, not filesystems. Emails would be the simplest.
  
  – ybungalobill
  Mar 9 at 0:29
  

  
  
  
  

add a comment | 

9

2

I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :

I have user manager with directory repository

I have user worker1 that need to write files to /manager/repository but can't delete the files

I have user worker2 that need to write files to /manager/repository but can't delete the files

I have user worker3 that need to write files to /manager/repository but can't delete the files

but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.

I tried few chown and chmod tricks with applying the sticky bit without success.

files permissions

share|improve this question

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

• 
  
  
  

  
  1
  

  
  
  
  
  
  

  
  
  Do the worker* users write to the directory in a certain way? You mentioned in a comment that log files go here, so does that mean a certain executable is launched to create files here? If so you could give the worker group sudo permission to run the executable as manager. Then the executable would create logs as the manager user that could be readable by the workers.
  
  – Centimane
  Sep 7 '16 at 18:19
  
  
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  If the user can modify the file then they can also erase its content, thus effectively "deleting" it. Looks like you need some sort of "submission" interface, not filesystems. Emails would be the simplest.
  
  – ybungalobill
  Mar 9 at 0:29
  

  
  
  
  

add a comment | 

I want to give users the ability to create write and read files in other user directory, but not to have option to delete the file after created ( sticky bit not going to work here ... )
for example :

I have user manager with directory repository

I have user worker1 that need to write files to /manager/repository but can't delete the files

I have user worker2 that need to write files to /manager/repository but can't delete the files

I have user worker3 that need to write files to /manager/repository but can't delete the files

but worker 1-2-3 can't delete the files after created only manager and root can delete the files worker 1-2-3 created.

I tried few chown and chmod tricks with applying the sticky bit without success.

files permissions

share|improve this question

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

share|improve this question

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

share|improve this question

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

edited Sep 7 '16 at 10:59

fd0

1,1411711

edited Sep 7 '16 at 10:59

fd0

1,1411711

asked Sep 7 '16 at 8:50

user63898user63898

146116

asked Sep 7 '16 at 8:50

user63898user63898

146116

5 Answers
5

active

oldest

votes

5

Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.

Note that it is not possible to permit creation of files but to deny their deletion.

share|improve this answer

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how can remove the write permission as the file will be writen all the time it is log file
  
  – user63898
  Sep 7 '16 at 11:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
  
  – Stéphane Chazelas
  Sep 7 '16 at 12:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @user63898 you remove write permissions from the directory the file 's in, not from the file itself.
  
  – GnP
  Sep 7 '16 at 12:30
  

  
  
  
  

add a comment | 

4

First of all make sure ACL is enabled in your system, then run this command

setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:--- 

/manager/repository

How it works

• This command will give give read, write and execute permissions for the owner on the directory /manager/repository. It will revoke all permissions for worker1, worker2 and worker3.




• This will give other users, read & write access but will deny the delete access.

---

From man setfacl:

-d, --default

       All  operations  apply to the Default ACL.



-R, --recursive

       Apply operations to all files and directories recursively.



-m, --modify

       Options to modify the ACL of a file or directory.

share|improve this answer

edited Sep 7 '16 at 9:37

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
  
  – user63898
  Sep 7 '16 at 9:55
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
  
  – user63898
  Sep 7 '16 at 10:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 11:03
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  wouldn't this still allow someone to write an empty file here? Like echo " " > $file would clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
  
  – Centimane
  Sep 7 '16 at 18:14
  

  
  
  
  

 | 
show 3 more comments

3

To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:

mkdir testdir

chown manager:worker-group testdir

chmod 775 testdir

setfacl -m group@:D::deny testdir

To explicitly deny the delete_child permission to members of the worker-group group.

However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:

$ touch file

$ rm -f file

rm: file: Operation not permitted

$ setfacl -m owner@:d::allow file

$ rm -f file

$

share|improve this answer

edited Sep 7 '16 at 21:03

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

add a comment | 

0

To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.

chmod 755 /manager/repository

share|improve this answer

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

add a comment | 

0

we can modify the files and folders but can't delete.

To remove the attributes, run the following commands:

For files:

$ sudo chattr -R -a file.txt

For directories:

$ sudo chattr -R -a dir1/

share|improve this answer

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (1) According to the documentation, the a attribute means append-only.  Can users edit these files?  (2) What is the effect of setting the a attribute on a directory?
  
  – Scott
  10 mins ago
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "106"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});

function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});


}
});

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f308375%2fhow-to-give-permissions-to-read-write-but-not-delete-the-file%23new-answer', 'question_page');
}
);

Post as a guest

Name

Email

Required, but never shown

5

Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.

Note that it is not possible to permit creation of files but to deny their deletion.

share|improve this answer

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how can remove the write permission as the file will be writen all the time it is log file
  
  – user63898
  Sep 7 '16 at 11:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
  
  – Stéphane Chazelas
  Sep 7 '16 at 12:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @user63898 you remove write permissions from the directory the file 's in, not from the file itself.
  
  – GnP
  Sep 7 '16 at 12:30
  

  
  
  
  

add a comment | 

5

Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.

Note that it is not possible to permit creation of files but to deny their deletion.

share|improve this answer

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  how can remove the write permission as the file will be writen all the time it is log file
  
  – user63898
  Sep 7 '16 at 11:24
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  While that used to be true, many modern systems support extended ACLs (NFSv4 ACLs as supported by FreeBSD, Solaris or Linux (Richacl patch) that give similar capabilities as Windows NT ACLs. Your stock Linux distribution is likely not to have it though.
  
  – Stéphane Chazelas
  Sep 7 '16 at 12:14
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  @user63898 you remove write permissions from the directory the file 's in, not from the file itself.
  
  – GnP
  Sep 7 '16 at 12:30
  

  
  
  
  

add a comment | 

Unlike Windows there is no distinct delete permission under Unix/Linux. The right to delete (or create or rename) a file is bound to the containing directory. Remove the write permission for the workers on /manager/repository/ in order to deny the workers to create, delete, and rename files.

Note that it is not possible to permit creation of files but to deny their deletion.

share|improve this answer

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

share|improve this answer

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

answered Sep 7 '16 at 11:10

countermodecountermode

5,43842246

4

First of all make sure ACL is enabled in your system, then run this command

setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:--- 

/manager/repository

How it works

• This command will give give read, write and execute permissions for the owner on the directory /manager/repository. It will revoke all permissions for worker1, worker2 and worker3.




• This will give other users, read & write access but will deny the delete access.

---

From man setfacl:

-d, --default

       All  operations  apply to the Default ACL.



-R, --recursive

       Apply operations to all files and directories recursively.



-m, --modify

       Options to modify the ACL of a file or directory.

share|improve this answer

edited Sep 7 '16 at 9:37

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
  
  – user63898
  Sep 7 '16 at 9:55
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
  
  – user63898
  Sep 7 '16 at 10:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 11:03
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  wouldn't this still allow someone to write an empty file here? Like echo " " > $file would clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
  
  – Centimane
  Sep 7 '16 at 18:14
  

  
  
  
  

 | 
show 3 more comments

4

First of all make sure ACL is enabled in your system, then run this command

setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:--- 

/manager/repository

How it works

• This command will give give read, write and execute permissions for the owner on the directory /manager/repository. It will revoke all permissions for worker1, worker2 and worker3.




• This will give other users, read & write access but will deny the delete access.

---

From man setfacl:

-d, --default

       All  operations  apply to the Default ACL.



-R, --recursive

       Apply operations to all files and directories recursively.



-m, --modify

       Options to modify the ACL of a file or directory.

share|improve this answer

edited Sep 7 '16 at 9:37

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  thanks , but the problem is that users are created all the time . and some are deleted by the admin . so that means i need to each time update the directory with the setfacl ? is there any more generic solution?
  
  – user63898
  Sep 7 '16 at 9:55
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  yes when i try to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch `/manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 10:21
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  still getting Permission denied when i do ls -ld repository im getting : drwxrwxr-t 2 manager users 4096 Sep 7 11:30 repository/
  
  – user63898
  Sep 7 '16 at 10:48
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  when doing setfacl -d -R -m user::rwx,user:worker1:--- repository/ and then trying to create file from worker1 touch /manager/repository/x.txt im getting : touch: cannot touch ` /manager/repository/x.txt': Permission denied
  
  – user63898
  Sep 7 '16 at 11:03
  

  
  
  
  


• 
  
  
  

  
  5
  

  
  
  
  
  
  

  
  
  wouldn't this still allow someone to write an empty file here? Like echo " " > $file would clobber the file contents with " ", which is technically a write, but effectively deletes the contents. It seems like an actual repo like svn would be the best bet here.
  
  – Centimane
  Sep 7 '16 at 18:14
  

  
  
  
  

 | 
show 3 more comments

First of all make sure ACL is enabled in your system, then run this command

setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:--- 

/manager/repository

How it works

• This command will give give read, write and execute permissions for the owner on the directory /manager/repository. It will revoke all permissions for worker1, worker2 and worker3.




• This will give other users, read & write access but will deny the delete access.

---

From man setfacl:

-d, --default

       All  operations  apply to the Default ACL.



-R, --recursive

       Apply operations to all files and directories recursively.



-m, --modify

       Options to modify the ACL of a file or directory.

share|improve this answer

edited Sep 7 '16 at 9:37

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

setfacl -d -R -m user::rwx,user:worker1:---,user:worker2:---,user:worker3:--- 

/manager/repository

-d, --default

       All  operations  apply to the Default ACL.



-R, --recursive

       Apply operations to all files and directories recursively.



-m, --modify

       Options to modify the ACL of a file or directory.

share|improve this answer

edited Sep 7 '16 at 9:37

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

answered Sep 7 '16 at 9:31

RahulRahul

9,54613045

3

To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:

mkdir testdir

chown manager:worker-group testdir

chmod 775 testdir

setfacl -m group@:D::deny testdir

To explicitly deny the delete_child permission to members of the worker-group group.

However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:

$ touch file

$ rm -f file

rm: file: Operation not permitted

$ setfacl -m owner@:d::allow file

$ rm -f file

$

share|improve this answer

edited Sep 7 '16 at 21:03

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

add a comment | 

3

To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:

mkdir testdir

chown manager:worker-group testdir

chmod 775 testdir

setfacl -m group@:D::deny testdir

To explicitly deny the delete_child permission to members of the worker-group group.

However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:

$ touch file

$ rm -f file

rm: file: Operation not permitted

$ setfacl -m owner@:d::allow file

$ rm -f file

$

share|improve this answer

edited Sep 7 '16 at 21:03

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

add a comment | 

To do that with permissions, you'd need a system with support for ACLs similar to NFSv4 ACLs. For instance, on FreeBSD, if the filesystem is mounted with the nfsv4acls flag, you can do:

mkdir testdir

chown manager:worker-group testdir

chmod 775 testdir

setfacl -m group@:D::deny testdir

To explicitly deny the delete_child permission to members of the worker-group group.

However note that since the workers would be owners of the files they create, they would still be able to modify the ACLs on them, and by granting themselves the delete permission, that would take precedence over the delete_child permission of the parent directory and I'm not sure there's a way around that (at least on UFS filesystems on FreeBSD). For instance they could do:

$ touch file

$ rm -f file

rm: file: Operation not permitted

$ setfacl -m owner@:d::allow file

$ rm -f file

$

share|improve this answer

edited Sep 7 '16 at 21:03

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

mkdir testdir

chown manager:worker-group testdir

chmod 775 testdir

setfacl -m group@:D::deny testdir

$ touch file

$ rm -f file

rm: file: Operation not permitted

$ setfacl -m owner@:d::allow file

$ rm -f file

$

share|improve this answer

edited Sep 7 '16 at 21:03

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

answered Sep 7 '16 at 14:16

Stéphane ChazelasStéphane Chazelas

318k57602965

0

To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.

chmod 755 /manager/repository

share|improve this answer

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

add a comment | 

0

To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.

chmod 755 /manager/repository

share|improve this answer

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

add a comment | 

To take write permissions from the /manager/repository folder. So, all the users who are not root will be able to write or delete from the files inside /manager/repository, but not to delete any file from this directory.

chmod 755 /manager/repository

share|improve this answer

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

chmod 755 /manager/repository

share|improve this answer

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

edited Aug 21 '18 at 5:18

slm♦

258k72549698

edited Aug 21 '18 at 5:18

slm♦

258k72549698

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

answered Aug 21 '18 at 4:57

Josef KlimukJosef Klimuk

1013

0

we can modify the files and folders but can't delete.

To remove the attributes, run the following commands:

For files:

$ sudo chattr -R -a file.txt

For directories:

$ sudo chattr -R -a dir1/

share|improve this answer

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (1) According to the documentation, the a attribute means append-only.  Can users edit these files?  (2) What is the effect of setting the a attribute on a directory?
  
  – Scott
  10 mins ago
  

  
  
  
  

add a comment | 

0

we can modify the files and folders but can't delete.

To remove the attributes, run the following commands:

For files:

$ sudo chattr -R -a file.txt

For directories:

$ sudo chattr -R -a dir1/

share|improve this answer

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  (1) According to the documentation, the a attribute means append-only.  Can users edit these files?  (2) What is the effect of setting the a attribute on a directory?
  
  – Scott
  10 mins ago
  

  
  
  
  

add a comment | 

we can modify the files and folders but can't delete.

To remove the attributes, run the following commands:

For files:

$ sudo chattr -R -a file.txt

For directories:

$ sudo chattr -R -a dir1/

share|improve this answer

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

$ sudo chattr -R -a file.txt

$ sudo chattr -R -a dir1/

share|improve this answer

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

edited 43 mins ago

Jeff Schaller♦

45.7k1165149

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11

New contributor

Ankitsrivasta is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.

answered 2 hours ago

AnkitsrivastaAnkitsrivasta

11