Permission to only one directory

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Permission to only one directory

satish
Dear erman,

We have to provide access to a folder to place files to user.User should not have delete access to any file under that folder.pls suggest

Rhel 7

Thanks
Satish
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

ErmanArslansOracleBlog
Administrator
It seems there is no easy way for doing this.. Preventing a user from delete its own file..
The easiest solution seems to be the one based on chattr +i..

So if you use chattr +i for a file; even the owner can not delete it..
However; you need to implement in a way that it should be triggered when a new file is created.

So, your user will create a file named TESTFILE in a directory named /TESTDIR, and when that happens, that trigger should be fired and execute the command -> chattar +i /TESTDIR/TESTFILE.. This way, your user altough it is the owner of the file, will not be able to delete the file named TESTFILE... I hope you understand what I mean.. See  "inotifywait" for implenenting such a triggering mechanism..
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

satish
Hi erman,

I have to clear.Actually we have xxttd top/bin folder and appcrp is the owner and dba is the group.Now we have to grant access to this folder to one client who will place some files.We have to make sure that client doesn't delete any files under this folder.How can we achieve this.We are poor in Linux.Pls suggest.

Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

ErmanArslansOracleBlog
Administrator
use chattr +a -R /directory_full_path..

This way, the other user (client user) will be able to create files in that directory, but Linux will not let the user delete the files in that directory.

Demo:

[root@ebsclone /]# mkdir /ermantest
[root@ebsclone /]# chmod 777 ermantest
[root@ebsclone /]# chown oracle:dba ermantest
[root@ebsclone /]# useradd writeonlyuser
[root@ebsclone /]#  chattr +a -R /ermantest
[root@ebsclone /]# su - writeonlyuser
[writeonlyuser@ebsclone ~]$ cd /ermantest
[writeonlyuser@ebsclone ermantest]$ touch testfile1
[writeonlyuser@ebsclone ermantest]$ touch testfile2
[writeonlyuser@ebsclone ermantest]$ touch testfile3
[writeonlyuser@ebsclone ermantest]$ rm testfile3
rm: cannot remove âtestfile3â: Operation not permitted

Another test;

[root@ebsclone ermantest]# su - oracle
[oracle@ebsclone ermantest]$ touch createdbyoracle
[oracle@ebsclone ermantest]$ exit
[root@ebsclone ermantest]# su - writeonlyuser

[writeonlyuser@ebsclone ~]$ cd /ermantest/
[writeonlyuser@ebsclone ermantest]$ ls
createdbyoracle  testfile1  testfile2  testfile3
[writeonlyuser@ebsclone ermantest]$ rm createdbyoracle
rm: remove write-protected regular empty file createdbyoracle? y
rm: cannot remove âcreatedbyoracleâ: Operation not permitted
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

satish
Thanks erman.How can we restrict user to access only xxttd custom top instead of accessing rest of all folders.Like we have /u01 /u02 etc..User should only access this xxttd top bin folder

Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

ErmanArslansOracleBlog
Administrator
Yes..That can be done using chmod command.
Give the required permissions "only" for the custom top directory to the user.
Remove the execute (+any other permissions) permission for the other directories which reside in the same directory as the custom top directory.
Then give "only" the execute privilege for the parent directory to the user and that's it.

So that user should have only the execute privilege on the parent directory. That user should not have any privileges on the other directories which reside in the same parent directory as the custom directory. Finally that user should have the required privileges (rwx or any other) for the custom top directory. This way, the user can access only the custom directory.
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

satish
Hi erman,

Below is actual requirement.

Directory:
=========

[applsupp@erpsupport ~]$ echo  $XXTTD_TOP/bin
/u01/SUPPDBAPPS/fs1/EBSapps/appl/xxttd/12.0.0/bin
[applsupp@erpsupport ~]$ ls -ld /u01/SUPPDBAPPS/fs1/EBSapps/appl/xxttd/12.0.0/bin
drwxr-xr-x 2 applsupp dba 12288 Aug 26 18:26 /u01/SUPPDBAPPS/fs1/EBSapps/appl/xxttd/12.0.0/bin
[applsupp@erpsupport ~]$



creation of user:
=================

[root@erpsupport ~]# groupadd client
[root@erpsupport ~]# useradd -G client client_file
[root@erpsupport ~]# passwd client_file


[root@erpsupport ~]# su - client_file
[client_file@erpsupport ~]$ pwd
/home/client_file
[client_file@erpsupport ~]$ cd /u01/SUPPDBAPPS/fs1/EBSapps/appl/xxttd/12.0.0/bin
[client_file@erpsupport bin]$ pwd
/u01/SUPPDBAPPS/fs1/EBSapps/appl/xxttd/12.0.0/bin
[client_file@erpsupport bin]$ ls
XXTBR_TEMPLE_ITEMS_BOM
...
....

Currently,client_user has only read and execute privilege on this directory but when he tried to copy some file to this location,user gets permission denied.

cp: cannot create regular file ‘aaaaaaaa.txt’: Permission denied

Our concern is,without changing any permissions on directory,is it possible to assign write permission on that directory to client_user?


Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

satish
Dear erman,

Am I not clear?

Thank you
Reply | Threaded
Open this post in threaded view
|

Re: Permission to only one directory

ErmanArslansOracleBlog
Administrator
Grant write permission on that directory for that user of yours ( or group of yours) and you should be okay..
I just couldn't get what you mean by "without changing any permissions on directory,is it possible to assign write permission on that directory to client_user?" -- what do you mean by that?