[lug] No rename: permissions and ACL's

[Hugh Brown]

Ben wrote:
> I'm having a problem with ACL's on Linux. I can't stop users from 
> renaming a directory. I have a much of users with rwx access to a 
> directory. They can create directories, files, etc. Permissions for that 
> directory are:
> 
> bash# getfacl ..
> # file: ..
> # owner: bluey
> # group: root
> user::rwx
> group::---
> group:Engineers:rwx
> mask::rwx
> other::---
> default:user::rwx
> default:group::---
> default:group:Engineers:rwx
> default:mask::rwx
> default:other::---
> 
> 
> Now I want to have a subdirectory (test2) be read only. So I set the 
> permissions of the sub directory (and files under the directory) to:
> 
> bash# getfacl test2/
> # file: test2
> # owner: root
> # group: root
> user::rwx
> group::---
> group:Engineers:r-x
> mask::r-x
> other::---
> default:user::rwx
> default:group::---
> default:mask::---
> default:other::---
> 
> And it works in that people cannot edit the files, or add new ones, etc. 
> But they can rename the directory! (mv test2 ben-has-bad-security) How 
> can I stop users from doing that? Now, users cannot rename directories 
> under test2, so I think the problem is with the permissions of the 
> parent directory. But I want users to have rwx access to that directory 
> to they can create and delete other directories.
> 
> Thanks,
> 
> Ben
> 

I believe with the regular unix acl's you would add the directory sticky 
bit.  For example

mkdir -p foo/test2
chmod 1770 foo
chmod 750 foo/test2

After doing that as user1 with user2 in the group that had permissions 
on foo and foo/test2.  user2 was unable to rename test2

As for how that works with the extended acl's, I don't know.  Hopefully 
it's a starting point though.

Hugh