On Fri, Jul 05, 2002 at 11:38:53AM +1000, Jason Lim wrote: > > But won't "rmdir ." succeed if they are in the public_html directory? [...] > I was just thinking about (using your examples) making the htdocs and > cgi-bin directories immutable (+i). However, I am not very familiar with > using those "flags" so Im not certain as to what consequences that would > have... making it immutable means that the directory won't be able to be > deleted, but files CAN be added/deleted within the immutable directory > directory, right?
I think the +t sticky bit is what you want. From the chmod man page; STICKY DIRECTORIES When the sticky bit is set on a directory, files in that directory may only be unlinked or renamed by root or their owner. (Without the sticky bit, anyone able to write to the directory can delete or rename files.) ... Given this, I would suggest something like this for an example user "abo"; minkirri:~$ dl total 2 drwxrws--t 4 root abo 81 Jul 5 13:13 ./ drwxrwsrwx 6 root root 458 Jul 5 13:17 ../ drwxr-s--- 2 root abo 35 Jul 5 13:13 log/ drwxrwsr-x 2 root abo 35 Jul 5 13:13 public_html/ Note that ~ only allows "other" execute access. This allows apache to access and serve ~/public_html, but no "other"s can list ~. The +t setting means files in this directory can only be deleted/renamed by their owners. The g+s settings are there to ensure files in these directories are group abo. Note that ~, ~/log, and ~/public_html are root:abo. The group abo has read/write access to ~/public_html, but because abo doesn't own it he can't remove it. The group abo has only read access to ~/log and can't remove it either. -- ---------------------------------------------------------------------- ABO: finger [EMAIL PROTECTED] for more info, including pgp key ---------------------------------------------------------------------- -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]