Say I have a folder tree like:
root/
ro/
symlink-to-ro/
my question is two-fold:
(a) is there a way to make all files in the ro directory read-only, but if the files are accessed by way of the symlink, make them writable?
(b) the reverse of (a): is there a way to make the files writable only if they are accessed directly?
This is just for *nix/MacOS
No. Permissions are assigned to inodes, not to directory entries; so the same set of permissions is checked regardless of the path you used to access the file.
EDIT: Scratch that. I just remembered there is a way: while files and folders don't carry permissions, mounts can be set to be readonly. If you were on Linux, a read-only bind mount would be exactly what you are looking for. AFAIK OSX can't do that, so you can fake it with an NFS mount (not as nice).
Related
I have a REST server whose purpose is to organize files generated by various users. To keep things simple, both the server and the users have access to a shared network filesystem.
The workflow is as follows: the user generates the file in a temp folder. He then notifies the server who then puts the file in a place of its own and stores some metadata in a database. The server should then own the files and take care of their deletion as needed.
My problem is the following: since the files can be quite big, I'd like to avoid a costly copy and instead simply move the files from the temp folder to their final destination. However, moving the files prevents the server from changing their ownership (see here for example).
Is there a way around this, without 1) copying the file, and 2)running the server as root?
EDIT: a couple precisions:
The file to be moved can be a directory with a hierarchy of files
It would be nice to have the server own the files in the final location to restrict access to other users.
If you create a separate user just to handle the chown, you can give that user the CAP_CHOWN capability, and you can have a single executable owned by that user that has the setuid bit set on it (so it executes as that user).
For security, this executable should do as little as possible, with as many checks as possible.
It should do the chown for the server user after the server user does the move. It should exist in a directory that is not writable by other users; it can do checks to insure that it is happy with all the attributes of the files it is asked to chown (current owner, location, etc.), it can have the server user hard-coded (so nobody else can use it), etc.
This will probably have to be a small C program, since most systems don't let you use setuid with scripts. You can find several small example programs on the web that do chown -- one is here
You should use a user group for all users and the server. Make the temp directory owned by that group and set it group-writable and sgid.
chown :groupname /path/to/temp
chmod g+s /path/to/temp
chmod 770 /path/to/temp
Then the server can adopt ownership of the file easily. Of course this means users can write other users' files, but I guess this is not a concern because they stay there a very short time?
I know that I can set the access level of a directory using chmod, but I need to specify a default level of access for every new file that is ever created in a directory, until the end of time.
Is there some way to accomplish this? chmod'ing every single file every time it gets generated in this directory isn't practical in a production environment, I need to make all files created in this directory default to 777.
Perhaps a little OT for StackOverflow.
Couple of options really, depending on what filesystem you've got.
Some filesystems support ACLs. http://linux.about.com/library/cmd/blcmdl1_setfacl.htm
Standard Unix won't allow you to force users to create mode 777, but you can set group setuid on a directory, such that all created files in that directory are owned by that group. If your default umask includes group write, that may do the trick.
On some filesystems, you can use inotify to detect changes and trigger a binary (like chmod).
I'm a beginner in linux.I have a question on filesystem that is it possible to make all files under a directory read-only without changing permissions?
No it is not possible. The write permission grants the ability to write a file. So that you need to change it anyway to make the file read-only for specific user or group of users.
You'd probably like to read this at spare time.
If you have suitable privileges, and if the filesystem is not critical to the machine (do not try this with "/", your root filesystem), you can remount the filesystem read-only. The details differ slightly from one system to another, but a useful discussion is found here:
https://askubuntu.com/questions/296331/how-to-mount-a-hard-disk-as-read-only-from-the-terminal
that applies to Linux and BSDs.
Because this does not actually modify the files, you can undo this by remounting the filesystem again, with read/write permissions, e.g., "rw" where the "ro" option was used. For specific information you should read the manpage(s) for mount and fstab for the system you are using.
I have multiple websites on a dedicated server running under Linux/Apache. The sites need to access common data from a directory named 'DATA' under the doc root. I cannot replicate this directory for every site. I would like to put this under a common directory (say /DATA) and provide a symbolic link to this directory from the doc root for each of the sites.
www/DATA -> /DATA
Is there a better way of doing this?
If I put this common directory (/DATA) directly under Linux root directory, can there be problems from Linux standpoint as the directory size can be several gigabytes and the sub directories under /DATA will need have write permissions.
Thanks
Use Alias along with the Directory directive. This will allow the site to access the directory via a url path.
I'm not sure what exactly it means that you'll have scripts accessing the directory to provide data. Executing shell scripts to read an produce data is a different story entirely, but you probably want to avoid this if this is what you're doing. Application pages could be included in the data directory and use a relative path to get to the data. Then all sites get the same scripts and data.
I don't know what your data is, but I'd probably opt to put it in a database. Think about how you have to update multiple machines if you have to scale your app. Maybe the data you have is simple and a DB is overkill.
I am packaging and distributing a program I made for Windows,Linux and Mac. I plan to put the files and folders in zip archives.
If I set the correct folder and file permissions and then compress into zip and redistribute them, will those permissions be maintained when the user extracts them in Linux or Mac systems ? Or do they have to set the permissions themselves ?
zip does not store file permissions in the archive.
tar archives will preserve file permissions on Linux and OS X. I have no idea what happens on Windows. If you can test things out on Windows and it works, this is probably your best bet. It probably depends on what tool people use to unpack the archives.
Another option would be to create an installer, although there are few non-commercial options for creating cross-platform installers. Wikipedia has a list.
An installer is your best option here.
Lets me explain a bit better why.
Windows has these permissions:
Modify
Read & Execute
Read
Write
Which are assigned to Groups or Usernames,
Unix based systems have:
Read
Write
Execute
Which can be assigned to owner, group and others.
Has you can see, its difficult to map permissions from one system to another, since the filesystems handle permissions differently.
However some zip utilities like Info-Zip supports Unix based filesystem features, such as user and group IDs, file permissions, and support for symbolic links. It also support NTFS filesystem permissions, and will make an attempt to translate from NTFS permissions to Unix permissions or vice-versa when extracting files. This can result in potentially unintended combinations, e.g. .exe files being created on NTFS volumes with executable permission denied.*
If you are planning on distributing your program, an installer is indeed your best solution.
*From wikipedia: Zip (file format)