6

I think prevent home folder from deleting is a very good idea. So I search possible approaches to do that. I that's what I’m find:

  1. Use chattr +i /home/user - even root can't can add/delete/rename user folder and all direct children in user - good and bad.

  2. Change owner of user directory to root and set sticky bit. Add file .keep and change his owner to root too: 

    chown root:user /home/user
chmod 1775 /home/user
chown root /home/user/.keep

    root can delete /home/user, user can't. But user can freely add/remove/rename files in his directory

  3. Use chattr +a /home/user - same as first approach but user can add files.

I think chattr +a on home directory: chattr +a /home is the best way:

  1. We can create new home folders for other users without pain.
  2. We can freely edit files in /home/user
  3. We can't accidentally sudo rm -rf /home/user

Actually the question: what are the pitfalls of this approach?

Improve this question
8
  • Why all that complication in (2)? Just the existence of a root-owned .keep is enough, IMHO. Commented Dec 9, 2014 at 7:55
  • @muru ubuntu 14.04 ext4 just root-owned .keep does'n work Commented Dec 9, 2014 at 8:05
  • 1
    @muru Without a sticky bit, I could just delete the root-owned file, since I (group) have write permission over the directory. Commented Dec 9, 2014 at 8:06
  • 7
    Have you considered corporal punishment? It might be worth a shot. Commented Dec 9, 2014 at 8:12
  • 1
    @muru The sticky bit grants permissions to the parent directory owner as well as to the file owner. If user owns /home/user, he'll be able to delete .keep, even if it is owned by root under a sticky bit. Commented Dec 9, 2014 at 8:14

1 Answer 1

Reset to default
7

To remove a directory, you need write permission over its parent. Which means that as long as user can't write to /home, he won't be able to remove his own directory.

$ chown root:root /home
$ chmod 0755 /home

$ chown user:user /home/user
$ chmod 0750 /home/user

With these permissions, root is the only user who can manipulate directories immediately under /home. This setup is actually very common on Linux systems, since they are multiuser ; however, I have seen Ubuntu setups in which /home belonged to the first user (usually ID 1000). While Ubuntu's first user usually is a sudoer (meaning he could delete everything using sudo), I don't think it is a good practise to give /home to anyone but root.

When it comes to chattr, I believe this would be overkill. You are facing a permissions problem, there is no need for other file attributes.

Improve this answer
8
  • They must have been custom setups. I have never seen a /home owned by anybody other than root on Ubuntu. Commented Dec 9, 2014 at 7:54
  • chattr +a runs on /home, not on /home/user Commented Dec 9, 2014 at 8:16
  • @IRus Indeed, my bad. Edited! Using the a flag is still overkill anyway. Commented Dec 9, 2014 at 8:17
  • @JohnWHSmith But a flag prevent from sudo rm -rf /home/user. Why he is overkill? Because of performance problems or something else? Commented Dec 9, 2014 at 8:37
  • 2
    @IRus What I know is that I don't give root permissions to anyone, and I make sure that whoever has them won't be silly enough to remove a sensitive directory. If you want to remove the human factor, remove the users. The system will run just fine. Commented Dec 9, 2014 at 9:09

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.