Assigning Directory level permissions

Right now, there is a mounted NFS storage on RHEL server at the following location:

mnt/NFS/Data

So I had to request read, write, delete permissions inside Data directory from the server admin.

After getting the permissions, I created three folders viz dev, prod and test inside the Data folder.

So I am the owner of dev, prod and test folders. The way I would like to modify the permissions is as follows:

Scenario 1) No one inside prod and test folders should be able to delete a file and folder including me.

Scenario 2) We should be able to delete files and folders  inside the dev directory.

Questions:

1) For scenario 1, I think I should be able to change the permission for others to read and write inside the prod and test folder since I'm the owner. But what about me? Do I need to ask the server admin to take control of permission so that everyone inside prod and test folders should have same permissions including me?

2) Same I should do for dev folder as well?

You should be able to set your own permissions on that folder including for yourself. Full permission for yourself and read for group only would be 740 (if I haven't got my arithmetic totally up the creek). But what is that about restricting deletion? My write permission on my /home/critchie directory appears on Nautilus/caja as “create/delete files and folders”, so I am not sure how you are going to get create permission without delete. You might need to restrict permissions for everybody and change your own permission temporarily.

I don't think there's a way to prevent the owner of a file to delete their own file, other than taking away their write permission on the directory the file is in. Of course, this prevents the owner from adding new files to the directory, but if you're not concerned about that you can use this strategy.

To prevent users from deleting files or folders that belong to other users, just set the sticky flag on the directory with +t.

You might have more fine-grained control if you use ACLs or SELinux policies, but I don't have any experience with them, so I can't help you with them.

Thanks for your reply. Please find my answers below:

Campbell Ritchie wrote:Full permission for yourself and read for group only would be 740 (if I haven't got my arithmetic totally up the creek).

I was looking at this article for numeric numbers : https://www.cyberciti.biz/faq/unix-linux-bsd-chmod-numeric-permissions-notation-command/

So 740 would mean the following if I understood correctly:

7 - rwx

4 - Read only (r)

0 - Nothing

But what is that about restricting deletion?

Basically, when someone is inside prod or test folder, I don't want anyone to delete anything including me. In the above 740 scenario, I am  having full permission and group has read and write.

However, when someone is inside dev folder, everyone should have access to delete everything.

Jack Tauson wrote:Thanks . . . .

That's a pleasure

In the above 740 scenario, I am  having full permission and group has read and write. . . .

No, 740 means read‑only access for the group. Delete permission would mean write access, and I think you mean 760. That wouldn't grant everyboyd outside the group any permissions.

Thanks again. So since 740 means read only access to the group because of number 4. If I understood it correctly, since user has 7 permission, I am the only one with rwx permission, right?

And since I don't want myself to delete the files, I can change it to read and write?

Also, under which permission number, Delete would fall? If I want to assign a group a permission where they should not be able to delete something, I imaging it won't be read and write permission?

Jack Tauson wrote:Thanks again. . . .

That's a pleasure

I am the only one with rwx permission, right?

If you are the “user”, yes.

. . . I can change it to read and write?

I am sure ?w? permission would allow you to delete the file.

Also, under which permission number, Delete would fall? . . .

?4? or ?5? or ?1?
Please find out about the +t option Stephan mentioned. You can download introductions to the Linux command line from various websites free of charge.

Stephan van Hulst wrote:I don't think there's a way to prevent the owner of a file to delete their own file, other than taking away their write permission on the directory the file is in.

In straight Linux, I'm pretty sure that being root even overrides root permission restrictions.

However, if selinux is switched on (default in the Red Hat/CentOS/Fedora distros), then that's not a safe assumption, since one of the reasons that selinux was inflicted on an unwary world was to curb root's power.

I should note that there are also very specific selinux settings governing stuff shared via NFS, so it's a good idea to check the [tt]sebool/tt] options in effect.