How to Set Directory Perms: Can Create, But Cannot Delete?

[raindog308]

Is there a way to create a directory such that users can create files, but once created, the files are immutable by non-root? chflags seems to almost but not quite support this.

Here is what I'm trying to do:

system A: a web server
system B: a backup server

Nightly, system A sends its backups to system B via scp or sftp (using a non-privileged user's credentials). Once on system B, the files cannot be modified or delete by that user. If system A is every compromised, the attacker can't nuke the backups as well. The files are available to be scp/sftp'd back to system A if needed. Periodically, a job on system B tidies the directory by removing old backups.

Of course, there are other approaches: I could run the backups at 1am and then have a cron job on system B that moves them to an inaccessible place at 2am, or changes permissions on them, etc. I don't know if OpenBSD has support for directory-watching notify hooks which may be another avenue.

But first I was going for simple...is there was a way to accomplish this with chflags?

I tried this (OpenBSD 5.6):

Code:

# mkdir /tmp/example
# chmod 1777 /tmp/example
# chflags uappnd /tmp/example

However:

Code:

$ cd /tmp/example
$ cp /some/big/file.txt .
$ cp /dev/null ./file.txt
$ cp /some/other/big/file.txt file.txt
$

All of these cp(1) commands succeed. In other words, the file can be over-written which defeats what I'm trying to do.

And setting uchg on the directory appears to make the directory itself unchangeable, which means new files can't be created.

[J65nko]

You could configure the backup system B to initiate the backup scp connection to system A.

Then you protect the backup system by only allowing outgoing backup connections with pf.

The sshd(8) gives an example of an authorized_keys file entry that limits an incoming SSH connection to only run a single command:

Code:

        command="dump /home",no-pty,no-port-forwarding ssh-dss
        AAAAC3...51R== example.net

[raindog308]

Interesting...one of the reasons I'm not wild about the backup server initiating backups is that then there is nice set of ssh keys with access to all the clients in one place. I hadn't thought of that method of limiting what one could do with those keys.

So in this example, I'd do something like this:

Code:

ssh -i /root/.ssh/some-key root@some.example.com 'dump -0f - /somedir' > /backups/clever-naming-scheme-0.dump

Or tar, etc.

Tested and it works. Nice. Thanks.