1

I have a directory with the below permissions:

drwxrwsr-x 3 john ro 20K Jun 20 14:48 logs

I logged in as john and touched a new file inside logs:

-rw-r--r-- 1 john ro 0 Jun 20 14:48 d

From my understanding, in this scenario, only john should be able to delete the file d. Any other user with group ro should not be able to delete the file since it has only group read access. However when I try to delete using another account for which ro is the group, the file gets deleted!

mathew@ip-10-0-0-148:/mnt/custom/ops/logs$ ls -lrth d
-rw-r--r-- 1 john ro 0 Jun 20 14:48 d
mathew@ip-10-0-0-148:/mnt/custom/ops/logs$ rm d
rm: remove write-protected regular empty file 'd'? yes
mathew@ip-10-0-0-148:/mnt/custom/ops/logs$ ls -lrth d
ls: cannot access 'd': No such file or directory

This seems strange!. I want group members to be able to read but not delete a file. What am I missing?

Mathew Paret
  • 93

2 Answers2

1

The ro group has full permissions to that directory which means that any of its members can delete or modify files or directories inside whether they own them or not and regardless of the file permissions.

If you only want the group members to be able to read the files inside, either change the group to john or remove write permissions for the group. Do one of these from the directory containing the logs directory.

chown :john logs

chmod 755 logs

I recommend the second command to just remove the write permissions.

Nasir Riley
  • 11,422
  • I need ro to have full permissions. This is because I have multiple users who must be able to write to the log folder. For example, the user John and Reject should be able to write to logs directory. Any person with group ro should be able to read it. So the group has to be ro. If I apply the above change, either Reject will not be able to write there, or ro will not be able to read. – Mathew Paret Jun 20 '19 at 23:35
  • An alternate I can think off is - add John and Reject to a group called Logger. Change directory owner to John (John is runs the main application) and set the directory group to Logger. And keep the world read option so anyone can read. Do you think of any possible security issue if I do that? – Mathew Paret Jun 20 '19 at 23:39
  • @MathewParet Then you need to update your question. It says "I want group members to be able to read but not delete a file." It never says that you want that group to be able to write to the directory. My answer explains why other users are able to delete files in that directory that they don't own. If you want them to have write permissions to the directory (why you need users to be able to write to a log directory, I have no idea but that's up to you) while not being able to delete files that they don't own then accept the other answer because it does exactly that. – Nasir Riley Jun 20 '19 at 23:56
  • If you want one group able to read and another able to write, then look at file ACLs. see https://unix.stackexchange.com/q/101263/4778 – ctrl-alt-delor Jun 21 '19 at 06:15
1

You don't delete files, you remove their entry from a directory. You need directory write permission to do this. (this permission exists in your example).

You may want to look at the sticky bit. Apply it to the directory i.e. chmod +t …/logs/d. This will make it so that only the owner (and user with capability CAP_DAC_OVERRIDE e.g. root) can remove a file from a directory.

When a file has no directory entries, and is no-longer open by any process, it will be deleted.

ctrl-alt-delor
  • 27,993