Then don't chmod 777 the file. If the file has been given the ACL
u::rwx,g::rwx,o::rwx,u:user1:r-x,m::rwx then everyone _except_ 'user1' can
delete the file. If the file had been given
u::rwx,g::rwx,o::r-x,u:user1:rwx,m::rwx, then _only_ the true owner and user1
would be able to delete the file.
Start as root (or someother user who owns a file)
[root@jtsdell xfs_part]# chgrp root jt_junk
[root@jtsdell xfs_part]# ls -l jt_junk
-rwxrwxrwx 1 root root 0 May 11 13:36 jt_junk
[root@jtsdell xfs_part]# chacl -l jt_junk
jt_junk []
(There's no ACL defined on this file yet.... lets define one that doesn't allow
'jt' to delete the file... but looks 'normal' to 'ls -l')
[root@jtsdell xfs_part]# chacl u::rwx,g::rwx,o::rwx,u:jt:r-x,m::rwx jt_junk
[root@jtsdell xfs_part]# chacl -l jt_junk
jt_junk [u::rwx,g::rwx,o::rwx,u:jt:r-x,m::rwx]
See... 'chacl -l' sees the extended permission structure.
[root@jtsdell xfs_part]# ls -l jt_junk
-rwxrwxrwx 1 root root 0 May 11 13:36 jt_junk
But 'ls -l' does not see it.
[root@jtsdell xfs_part]# exit
exit
Go back to being 'jt'
[jt@jtsdell xfs_part]$ ls -l jt_junk
-rwxrwxrwx 1 root root 0 May 11 13:36 jt_junk
File looks like I (as 'jt') can delete it. Let's try.
[jt@jtsdell xfs_part]$ rm jt_junk
rm: remove write-protected file `jt_junk'? y
rm: cannot unlink `jt_junk': Permission denied
Gee Whiz!?! What happened? I've been acl-ized!
On 15-May-2001 Austin Gonyou wrote:
> I agree with this. but my problem is ACLs should protect. At this point
> the file can still be modified/deleted by ANYONE if I chmod 777 that file.
> What's the point of ACLs if they don't stop malicios behaviour?
ACLs are designed to allow you to specify permissions on a finer scale than the
traditional ugo scheme. You can tailor protection for just a few users or
groups.
--
John M. Trostel
Linux OS Engineer
Connex
jtrostel@xxxxxxxxxx
|