PDA

View Full Version : Best way to prevent deleting within user domain?


benwiggy
10-05-2011, 11:22 AM
I have a couple of locations in my user domain where I store data files that I generally don't want to delete or save over, once they are put there. I add files to this location from time to time, though.

Basically, I'm looking for a way to require "sudo" or authorization in the Finder when doing anything destructive to these files. And I want files moved or saved there to inherit the same attributes.

I first set the owner to root, which worked well, but made adding files to the folder just as difficult, and didn't inherit.
I then tried using ACLs, but haven't got the hang of inheritance.

Does anyone have any good ideas?

Hal Itosis
10-05-2011, 03:04 PM
I have a couple of locations in my user domain where I store data files that I generally don't want to delete or save over, once they are put there. I add files to this location from time to time, though.

Basically, I'm looking for a way to require "sudo" or authorization in the Finder when doing anything destructive to these files. And I want files moved or saved there to inherit the same attributes.

I first set the owner to root, which worked well, but made adding files to the folder just as difficult, and didn't inherit.
I then tried using ACLs, but haven't got the hang of inheritance.

Does anyone have any good ideas?

Somethin' like this:

chmod -R +ai 'group:everyone deny delete,file_inherit' /path/to/desired/folder



If you get into trouble...

chmod -R -N /path/to/protected/folder

...will remove all ACLs.



The main problem you will have is in "moving" files into that space... because the inheritance (at least OSX's implementation) won't kick in. I.e., drag-n-drop moving will preserve permissions of the moved file.

The workaround is to *copy* files in. That 'creates' a new version of the item, and the inheritance mechanism will apply in that case.

Hal Itosis
10-05-2011, 03:24 PM
I think though, if any subfolders appear (or will be created) in this hierarchy, you might encounter weaknesses. I used only 'file_inherit' there because you complained thusly: "made adding files to the folder just as difficult".

As long as you add only files, you're fine. But if you want subfolders protected as well, it gets more complicated.

Perhaps a combination of these two might work better then:

chmod -R +ai 'group:everyone deny delete,file_inherit,directory_inherit' /path/to//folder
chmod -R +ai 'group:admin allow add_file,directory_inherit' /path/to/folder

benwiggy
10-05-2011, 03:39 PM
Hal, thanks.

Yes, the folder has subfolders and may get new ones added. (Though I suppose I could copy a "blank" subfolder that had the correct ACLs.)

Will give this a try.

tlarkin
10-12-2011, 01:06 PM
There is an App Mikey-San made called Sandbox that is a GUI front end for creating ACLs and modifying them as well.

If you are using OS X Server Server Admin App can be used to set up ACLs. Also, the command line like Hal has posted.