0

Is it possible to set the permissions of an NFS share to allow creation and moving of files, but not the editing or deletion of them.

Moving is also only allowed if it stays on the same share.

Achieving this with wrapper applications would be fine, as long as I can execute them with my client, that uses nautilus.

Allowed operations:

  • mv /mnt/share/file /mnt/share/file2
  • mv /mnt/share/file /mnt/share/folder/file
  • touch /mnt/share/file3

Disallowed operations:

  • mv /mnt/share/file ~
  • rm /mnt/share/file
  • echo test > /mnt/share/file
  • echo test >> /mnt/share/file

BOTH LISTS ARE NOT EXHAUSTIVE

The server is my NAS running stock Archlinux (pretty current, updates every few days).

Hosts are mostly my own computers, but I don't trust every program I run. And to prevent crypto malware, I want to disable the deletion of files, so such a malware can only create the encrypted files, but can't delete the original ones.

Improve this question
13
  • What do you mean by "moving of files"? Renaming? If you can rename a file or move a file, you can effectively edit or delete it. (In fact, in UNIX, moving is often implemented as a kind of remove. ) On a local filesystem in Linux, a file may be marked "immutable", but that means it cannot either be moved or renamed. In theory, Nautilus plugins can achieve the desired effect, assuming users cannot access NFS in any other way. Commented Apr 6, 2016 at 16:03
  • @Otheus first, they can (via console), and by moving i mean renaming or changing the path, as long as it stays on the disk. i'll add an example Commented Apr 6, 2016 at 16:04
  • 1
    Just maintain a list of md5 sums on the share, and if some file goes missing, move it back from a backup. That is not NFS solution, you'll need to write a daemon to monitor it, and it -might- have impact on performance. Commented Apr 6, 2016 at 17:22
  • @MikhailKrutov this is not acceptable, because i don't see if a file was simply moved on the share. the only way to notice this is to create the hashes for every file anew. Commented Apr 6, 2016 at 17:32
  • @Armin Yep, that's what I've meant - every time something changes, md5 it. Also, unix.stackexchange.com/questions/92013/… Commented Apr 6, 2016 at 17:34

1 Answer 1

Reset to default
1

NFS permissions are only read and write...if you permit writing, then editing and deleting files is possible besides creating and moving files.

Improve this answer
2
  • is there any possibility to set wrappers for low level methods? meaning i could add the wrapper, that checks whether it moves the file from the share to the same share and allows it, but disallows it if not? Commented Apr 6, 2016 at 16:15
  • 2
    NFSv4 allows much more, but you need a real NFSv4 implementation to use the ACLs. Even theNFSv4 ACLs do not mention rename, they just allow you to forbid to remove files in a directory or to ad files in a directory. Commented Apr 6, 2016 at 16:36

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.