Possible to apply sticky bit effects to a group rather than user?

Question

I've been reading up on the "sticky bit" and it's almost what i want… but not quite.

Background

I'm managing a small JupyterHub instance with three courses and an instructor for each course. I'd like to have a folder on the server for file submissions.

Students (in the jupyterhub-users group) should be able to place their own files in the folder, but should not be able to move or view other files in the folder. Ideally, they should retain the ability to move or edit their own file.

Course instructors (in the jupyterhub-instructors group) should have full access to files and folders in the submissions folder so they can move their students submissions around as they see fit.

My current understanding

I'm aware of the sticky bit… my problem with it is that it leaves the other instructors unable to modify the contents of the folder. Is there a version of the sticky bit that allows the group to edit the folder? In that case, I can set ACLs such that jupyterhub-users have rwx permissions on the folder (allowing them to submit files to the folder and see the contents of it) and set the folder owner to root:jupyterhub-instructors so the instructors can control the contents of the folder.

If all else fails, I suppose I can make subfolders in the submissions folder owned by each instructor, then set the sticky bit on each subfolder. I'd like to avoid the future maintenance associate with that though, since I'll have to be the one to remember to set up a new folder next semester for each instructor.

Answer 1

I see several approaches to get this done; neither is both nice and easy.

seperate folders and inotify 1: input and collection

You create an input folder with 777 and configure inotify for it. When a user creates a file (closes the file descriptor), a script is triggered which

• moves the file to a 775 directory
• changes the owner (e.g. to root) and the group
• changes the permissions to 660
• sets an rw ACE for the former owner

(possible) disadvantage: The users can see the files of the other users (not their content, though).

seperate folders and inotify 2: one per user, one for the group

Instead of having just one folder for everyone you create one folder (770) for jupyterhub-instructors and each one for every user (700).

The inotify script

• creates a hard link in the group directory under the file name ${username}-${original_filename}
• changes the owner (e.g. to root) and the group
• changes the permissions to 660
• sets an rw ACE for the former owner

the FUSE file system bindfs (https://bindfs.org/)

I have not tested this. bindfs ignores the sticky bit. I am not sure what "ignores" means in this context. The public folder would have 1777 and (somewhere) below a 750 "access contol directory" you would create a bindfs mount which would force all the files to ?6?. I guess the sticky bit of the original directory would not prevent changes made under this path (but I do not know for sure).

NFS4 ACL

You mount the directory via NFS4 (from the same system) and configure the permissions you want...

advantage: just one directory (possible) disadvantage: users can either see the files of other users or not even their own.

Answer 2

Will the file names be predictable and unique? If not, setting the permissions on the directory to 0773 and have it owned by root:jupyterhub-instructors will allow students to drop files into the directory but not list the directory contents. All members of jupyterhub-instructors will have full control of the directory.

Any user who knows the name of a particular file will be able to list it and possibly see the contents depending on the file permissions the original user placed on it.