Ubuntu – How to make a write-only view of a folder

filesystempermissions

I want to have a place on the filesystem that presents a write-only "view" of another folder that I have read-write access to.

I'm picturing something that's similar in behavior to an FTP drop box, where files can be copied into it but not read out of it, e.g.:

$ ls read-write-view/ write-only-view/
read-write-view/:
a  b  c

write-only-view/:

$ cp d write-only-view/
$ ls read-write-view/ write-only-view/
read-write-view/:
a  b  c  d

write-only-view/:

It's important that this works as in the example — the contents are still visible when accessed through read-write-view/, and both "views" are functional for a single user.

How can I set something like this up? Some clever arrangement of symbolic links, perhaps? Or an unusual configuration of a bind mount?

Best Answer

I asked this same question for student drop boxes on the samba mailing list a few years back (http://lists.samba.org/archive/samba/2008-September/143610.html) and the answer has worked for us. You need extended acl attributes on your filesystem (from the acl package), here's Jeremy Allison's answer...

Ok, the problem is that students need to be able to read the containing directory in order to be able to drag and drop new files there. The reason is that Samba needs to be able to scan the directory on their behalf in order to do case insensitive lookups.

But so long as you don't mind allowing the students to see the names of each others files, you can set up a DropBox so that students can write into it (and their own files) but not edit or see others files.

Firstly, you want to make sure that files created in the DropBox directory are not owned by the student's primary group, but by the group owner of the DropBox direcotry. So :

chgrp teachers DropBox

to make it owned by the teachers group. Then set the setgid bit on the DropBox directory to make sure that files created within there have an owning group of teachers.

chmod g+s DropBox

Then ensure that a file in DropBox can be renamed or deleted by only the owner of the file, or by the owner of the directory, or by root (same permissions that /tmp has).

chmod +t DropBox

Then allow students to write into the directory by adding an ACL

setfacl -m g:students:rwx DropBox

So long as the defaul acl is set so that "others" have no permissions, files written by a student into that directory will be owned by themselves but will have an owning group of "teachers", and students will not be able to read each others files.

If you need to be cause the files to be owned by the owner of the directory, not by the students who created them you need to set up a separate share as described above, but then add the share level parameter :

inherit owner = yes

which will cause files created within the directories in that share to be owned by the containing directory, not the creating owner.