This is NOT your standard "how do permissions work" question!
I'm thinking the answer will probably involve ACL, but I don't know how exactly.
I've messed around with standard permissions, guid, sticky bit, etc. Doesn't work.
What I want: User will upload files. User will have ability to change permissions on files to allow execution. But user will not be able to change the contents of file once it's created. And user will not be able to delete the file.
Please help! I've been tearing my hair out for hours!
EDIT:
Thanks for the answers but so far they don't seem to address how to have this work automatically for newly-created files.
Possible solution:
find -mtime -1 -exec chattr +i '{}' \+
2nd possible solution:
inotifywait -m -e create --format %f .
Now I just need to figure out to pipe that to chattr.
You can try to use 'chattr'
Example:
Use attributes
Remove "immutable" flag with
That'll prevent you from changing permission on the file, though. So you'll need some way to (as root) add execute permission or whatever upon user request. Also, attributes are not added by default; you have to put in somethin that will do that to.
I'll leave that bit as an exercise to the reader.
SELinux might be one way to solve it - associate unique type with all users that will have this "reduced ability". Set SELinux policy to allow file creation in this directory for those user types but not modification etc. In theory - should work. See Gentoo SELinux Tutorial, in particular pice about:
then check out more on permissions available
Use inotify or other watching mechanism of your choice to find and locate new files in the upload directory and move them into a new directory, for which the initial user has no permissions.