4

imagine the following folder structure

../documents

../documents/templates

I have two user groups:

  • editors
  • managers

Users of both groups should be able to

  • create new files
  • modify any files
  • delete any files

in ../documents.

Both groups should also be able to read any files in ../documents/templates.

Only users in group "managers" should be able to

  • create new files
  • modify any files
  • delete any files

in ../documents/templates.

The directory "../documents/templates" should be undeletable for both groups!

How can I achieve that? I came to the conclusion, that this isn't possible with Linux (even with POSIX ACLs), because you need to set g=rwx for "documents", which will allow users of both groups to create/delete/modify any files in that directory... but +w also allows the deletion of the subdirectory "templates" and I don't know a way to deny that.

Improve this question

1 Answer 1

Reset to default
4

No one will be able to delete ../documents/templates if it contains anything else. So, you could create a subdirectory ../documents/templates/.hidden, with 000 permissions, and put an empty file inside that (well, before setting the 000 permissions, obviously). Then rmdir ../documents/templates will fail, as will rmdir ../documents/templates/.hidden.

Edit: to borrow from another answer that was deleted, if you're superuser, you could do this instead, which is a little simpler:

cd ../documents/templates
touch .locked
chattr +i .locked

(chattr needs to be run as superuser.)

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.