Linux 目录权限读写不删除
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/869536/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Linux directory permissions read write but not delete
提问by CodeLizard
Is it possible to setup directory permissions such that a group is able to read and write files and subdirectories but not delete anything?
是否可以设置目录权限,使组能够读写文件和子目录但不能删除任何内容?
采纳答案by jmanning2k
It might be enough to set the sticky bit on the directories. Users will be able to delete any files they own, but not those of other users. This may be enough for your use case. On most systems, /tmp is setup this way (/tmp is set 1777)
在目录上设置粘性位可能就足够了。用户将能够删除他们拥有的任何文件,但不能删除其他用户的文件。这对于您的用例来说可能就足够了。在大多数系统上,/tmp 以这种方式设置(/tmp 设置为 1777)
chmod 1775 /controlled
chmod 1775 /控制
However, If you want more control, you'll have to enable ACL on the filesystem in question.
但是,如果您想要更多控制,则必须在相关文件系统上启用 ACL。
In /etc/fstab, append acl to the flags:
在 /etc/fstab 中,将 acl 附加到标志:
/dev/root / ext3 defaults,acl 1 1
You can then use setfacl/getfacl to control and view acl level permissions.
然后您可以使用 setfacl/getfacl 来控制和查看 acl 级别的权限。
Example: (Create files, once written, they are read only, but CAN be deleted by owner, but not others.)
示例:(创建文件,一旦写入,它们是只读的,但所有者可以删除,但其他人不能删除。)
setfacl --set u::rwxs,g::rwx /controlled
setfacl -d --set u::r-x,g::r-x,o::- /controlled
You can set a default acl list on a directory that will be used by all files created there.
您可以在目录上设置默认 acl 列表,该目录将被在那里创建的所有文件使用。
As others have noted, be careful to specify exactly what you want. You say "write" - but can users overwrite their own files? Can they change existing content, or just append? Once written, it's read only? Perhaps you can specify more detail in the comments.
正如其他人所指出的,请小心准确地指定您想要的内容。你说“写”——但用户可以覆盖他们自己的文件吗?他们可以更改现有内容,还是只是追加?一旦写入,它是只读的?也许您可以在评论中指定更多细节。
Lastly, selinux and grsecurity provide even more control, but that's a whole other can of worms. It can be quite involved to setup.
最后,selinux 和 grsecurity 提供了更多的控制,但这是完全不同的蠕虫。设置可能非常复杂。
回答by alamar
Well, it would be r-x for this directory.
好吧,这个目录应该是 rx 。
And files in it would have rw-.
并且其中的文件将具有 rw-。
This is because a file can be written if its permissions allow Write, but it can only be deleted if its directory's permissions allow Write.
这是因为如果文件的权限允许写入,则可以写入文件,但只有在其目录的权限允许写入的情况下才能删除文件。
回答by bacar
Possible or not, make sure that overwriting with a 0-byte file isn't equivalent to deleting the file in your particular context.
可能与否,请确保用 0 字节文件覆盖并不等同于在您的特定上下文中删除文件。
