Is there any way to prevent deletion of certain files from user owned directory?

Let’s say user has Directory1 and it contains File1 File2 CantBeDeletedFile
How to make so the user would never be allowed to delete the CantBeDeletedFile?

If I change the ownership of Directory1 and remove write permissions users wouldn’t be able to delete any file. They also wouldn’t be able to add new files etc.

I just want to be able to set some files which would never be deleted.

More specific description.

I am creating user profiles. I am creating application launcher files in their Desktop. So I want to set some launcher files (.desktop) and make them so user can only launch them and they couldn’t rename nor delete, just launch.

Currently if user owns the directory which contain any file. He can delete.

If there is no generic way for all *nix, it’s a Linux and ext4 FS.

Here is Solutions:

We have many solutions to this problem, But we recommend you to use the first solution because it is tested & true solution that will 100% work for you.

Solution 1

Make the file immutable with the i attribute.

chattr +i file.desktop

see man chattr for more information.

Solution 2

(I dislike intruding users’ home, I think they should be allowed to do whatever they want to do with they homes… but anyway…)

This should work on linux (at least). I’m assuming user is already a member of the group user.
A solution is to change ownership of Directory1 and set the sticky bit on the directory:

chown root:user Directory1
chmod 1775 Directory1

Then use:

chown root Directory1/CantBeDeletedFile

Now, user won’t be able to remove this file due to the sticky bit¹. The user is still able to add/remove their own files in Directory1. But notice that they won’t be able to delete Directory1 because it will never be emptied.

1. When the sticky bit is enabled on a directory, users (other than the owner) can only remove their own files inside a directory. This is used on directories like /tmp whose permissions are 1777=rwxrwxrwt.

Solution 3

I don’t think there is a way to prevent deletion of an individual file with Unix file permissions, but I can think of a workaround: write a daemon that replaces it when it is removed. inotify-tools is perfect for this sort of thing if you’re on Linux.

There are a few ways you can replace the deleted item: copy a new one in place, or keep the real file in a safe place and just copy a link into the user’s directory. For the link, you can either use a symlink or a hard link. I’d start with a symlink, but some (very few) programs don’t handle symlinks correctly. If you find that the user encounters a program like this, use a hard link instead.

Solution 4

A simple

chmod -i filename

will kinda “protect” that file from deletion.

rm filename
rm: remove write-protected regular file 'filename'?

You can still delete it, but at least you must be sure enough about what you’re doing.

Note: Use and implement solution 1 because this method fully tested our system.
Thank you 🙂

All methods was sourced from or, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0

Leave a Reply