Results 1 to 6 of 6

Thread: upload but not delete permission

  1. #1
    Join Date
    Jul 2014
    Beans
    314

    Question upload but not delete permission

    Hi all,
    Our admin is on sick leave and I'm trying to help.
    Got peculiar task to give upload but not delete permission (it's vsftpd if matters, but permission is for regular linux user). Obviously, person who assigned this task is not any linux user.

    I understand how to provide write permission:
    Code:
    setfacl -R -m u:user1:rwx /sftp/folder1
    But what in the world does it mean "not delete"?

    Please advise.
    Last edited by marchello_lippi2; December 13th, 2019 at 01:17 AM.

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    Hidden!
    Distro
    Ubuntu Mate 16.04 Xenial Xerus

    Re: upload but not delete permission

    Really, using ACLs shouldn't be needed for 99.99999% of all permissions. The normal chmod method is sufficient with a little pre-thought. I've been a Unix admin 25 yrs and used ACLs 2 times in all those years.

    There aren't separate permissions for create and delete in Unix. For that, you need Novell Netware.

    Usually the way this is addressed is by allowing new files to be uploaded to a directory, but not allowing any users read access to that same directory. After the upload finishes, using something like inotify, the new file would be processed to ensure it isn't a virus or malware, then moved to a different directory where no users can remove it, but can read the safe file, if that is desired. I'd move the original upload file somewhere else completely so it could be archived and tagged with the upload userid should malware or a virus be traced back to that user later. It is important to have traceability.
    That's how I would handle this problem.

    BTW, I'm curious. Is this really plain FTP or is it sftp or FTPS? They are very different underneath. Plain FTP should have died around 2002. vsftpd supports plain FTP and FTPS, which is different from sftp. Eh - no matter. Just curious.

  3. #3
    Join Date
    Jul 2014
    Beans
    314

    Re: upload but not delete permission

    Quote Originally Posted by TheFu View Post
    moved to a different directory where no users can remove it, but can read
    That's exactly what I had in my mind, but needed to confirm that linux doesn't provide "write but not delete privileges".
    Thanks.

  4. #4
    Join Date
    Jul 2014
    Beans
    314

    Re: upload but not delete permission

    Quote Originally Posted by TheFu View Post
    is it sftp
    It's sftp. I created .pem file and mentioned it in vsftpd configuration. Can't tell deeper, I'm not pro here, just helping our admin.

  5. #5
    Join Date
    Nov 2008
    Location
    Metro Boston
    Beans
    14,695
    Distro
    Kubuntu Development Release

    Re: upload but not delete permission

    You can protect a file saved to a shared directory from being deleted by other users with rights to the shared directory using something called the "sticky" bit. I don't know of any way to allow a user to upload but not delete a file he or she creates.

    If the files were transferred using Samba, you can use the "create mode" directive to allow uploads without deletes to a Samba share.
    If you ask for help, do not abandon your request. Please have the courtesy to check for responses and thank the people who helped you.

    Blog · Linode System Administration Guides · Android Apps for Ubuntu Users

  6. #6
    Join Date
    Jul 2014
    Beans
    314

    Re: upload but not delete permission

    Quote Originally Posted by SeijiSensei View Post
    You can protect a file saved to a shared directory from being deleted by other users with rights to the shared directory using something called the "sticky" bit. I don't know of any way to allow a user to upload but not delete a file he or she creates.

    If the files were transferred using Samba, you can use the "create mode" directive to allow uploads without deletes to a Samba share.
    Thanks, I explained them about operating system limitation and they clarified the task, so that "upload but not delete" is not needed anymore. They are ok with just read/write for one group of users and read-only for the other one. Grin.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •