This is on FreeBSD 9.0, where I am a very happy user of a largish (1TB) mirrored ZFS file system. I want to protect some files against accidental modification and deletion by users. On UFS/FFS file systems, that was easily done using the uchg or schg flags.
As we know, ZFS on FreeBSD doesn't support the UFS-style flags. So "chflags uchg /zfs/foo" won't work.
So I tried using ACLs. Posix ACLs only allow control of read, write and execute, so they can't be used to prevent deletion. So we go to NFSv4 style ACLs. I tried the following: "setfacl -m everyone@:wD:deny /zfs/foo". That helps somewhat: it prevents modification of the file (by writing over it). But it does not prevent the file from being deleted (or equivalently renamed away). For some reason, the "D" field in the ACL does not actually prevent deletion of the file. By the way, I also tried the D, W and C flags in the ACL; none of them prevent file deletion.
So, is there a convenient way to prevent files from being deleted? Or am I using the ACLs wrong?
Just for completeness, here is a set of non-options:
As we know, ZFS on FreeBSD doesn't support the UFS-style flags. So "chflags uchg /zfs/foo" won't work.
So I tried using ACLs. Posix ACLs only allow control of read, write and execute, so they can't be used to prevent deletion. So we go to NFSv4 style ACLs. I tried the following: "setfacl -m everyone@:wD:deny /zfs/foo". That helps somewhat: it prevents modification of the file (by writing over it). But it does not prevent the file from being deleted (or equivalently renamed away). For some reason, the "D" field in the ACL does not actually prevent deletion of the file. By the way, I also tried the D, W and C flags in the ACL; none of them prevent file deletion.
So, is there a convenient way to prevent files from being deleted? Or am I using the ACLs wrong?
Just for completeness, here is a set of non-options:
- Normal access permissions (the rwx bits) don't prevent deletion (yes, I know they are actually stored as Posix ACLs in ZFS).
- I'm only interested in "doorknob" protection. It's perfectly fine for the user to make a conscious choice that a file no longer needs to be protected. I'm looking for something that prevents accidents like "rm -Rf foo" or "ls > foo" when foo is "valuable".
- Take snapshots, backups, and remote backups. I do all these already. If a file is accidentally modified or deleted, I can get it back. But that is a lot of work; I'm trying to prevent the accident in the first place.
- Making the whole file system readonly, or changing permissions on the enclosing directory to prevent any modification to the directory: The user needs to be able to create and modify other files; just some valuable files ought to be "immutable" or "archived".
- Change ownership of these files to someone else (if necessary to root). First, it requires becoming root (inconvenient). Plus it doesn't prevent deletion of files (a user can delete a file if he owns the directory the file is in, even if the file is owned by someone else).