hi.
i just tested a little bit with acls (grsecurity 1.9)
i want to deny a user from creating (writing) a file in a directory which is writeable for him.
/ {
/ r
...
...
/home rwx
/home/userdir/file r
}
this works fine.
the user can write/edit/read files in "userdir" but isn't able to create/modify/delete "file".
but i want to do this for all users.
i simply set up this acl:
/ {
/ r
...
...
/home rwx
/home/*/file r
}
it seems, that in this statement it isnt possible to drop write privileges in a directory which has read/write privileges.
the way around works: home dir readable only (therefore all sub-directories readable only, in every sub-directory "file" can be made writeable).
Is there a possibility to keep all users from creating modifying some special file in their writeable home-directory without the need of having an object statement for every user-directory?