3

I have a directory, owned by me (e.g. /sync), and a process, run by me, which I want to have full read&write access to this directory (in my case the process is Resilio Sync, formerly known as BitTorrent Sync). All files in this directory are personal projects and documents. 99% of them are owned by me, but sometimes, for unavoidable reasons, some directories and files are created by root. How would I go about somehow letting the process alter, move and/or delete such directories and files?

I've tried a combination of sticky bits (setting g+s on /sync, so that all files inherit the group) and custom ACL rules (to try to have the sticky bits propagate to newly created directories automatically), but, as described in this answer and its comments, it can't be done without inotify (which I'd like to avoid for simplicity).

However, I was wondering, maybe there's some other way to go about this? Like giving one particular process more power in a certain directory and everything in it, ignoring all file permissions? And if that is possible, are there any security implications I would have to look out for?

Community
  • 1
Alec Mev
  • 190
  • sudo chown -R youruser before running the synch process. Problem solved. – Satō Katsura Nov 18 '16 at 16:41
  • @SatoKatsura Resilio does the synchronization continuously, very much like Dropbox, just in a decentralized manner. It can decide to modify a root-owned file at any time. – Alec Mev Nov 18 '16 at 18:06

1 Answers1

3

I don't think this goal requires sticky bits. Let's say the process is running as the user, resilio, and your user account is olegs. (I see that it is your account running the process; I add this for sake of demonstration.)

# Change all ownership to root:root
chown -R root:root /sync

# Make sure only root (and group members of root) can get a directory listing.
chmod 0750 /sync

# Now, let's augment standard permissions with ACLs.

# Set default masks for all new file system objects in /sync.
# (The root user already has permission.)
setfacl -d -m u:resilio:7 /sync
setfacl -d -m u:olegs:7 /sync

# Apply a mask to all existing files (and dirs) to give full control
# to the directory contents to olegs and resilio.

setfacl -m -R u:resilio:7 /sync
setfacl -m -R u:olegs:7 /sync

Now, these users have full control over the directory: root, olegs, and resilio. Otherwise, no other user can see the contents of the /sync directory. Although the masks specify 7 (read/write/execute), directories become rwx and files effectively become 6 (read/write).

Christopher
  • 15,911
  • Thanks, this works! At least it passes my elaborate test, comprised of mkdir x, sudo touch x/y and rm x/y :) I was doing it with groups, instead of users (setfacl -m g:olegs:rwX /sync & setfacl -d -m g:olegs:rwX /sync), with and without sticky bits. Not sure why it wasn't doing what I expected, but that's not important anymore. – Alec Mev Nov 18 '16 at 18:20