Create an undeletable file in Leopard

nathaniel · #1 August 13th, 2008, 09:55 AM

I have an encrypted diskimage.sparseimage that I made to contain sensitive financial data. It is read/write so I can update it with constantly changing information, which means "locking" it doesn't do me much good.

Being encrypted it's relatively safe, except for the fact that it's easily deletable. That doesn't do me much good.

How can I make this file undeletable in OS X.5.4 yet maintain its ability to be written to? There is only one account on the system but occasionally others use the machine, and I'd rather not delete it accidentally myself.

I would much prefer this solution use Leopard itself, terminal or system GUI, rather than extra software.

nixgeek · #2 August 13th, 2008, 10:04 AM

Best thing would be to create a guest account for others to use. It's of no use if you're encrypting your files and allowing others to use your account. Password protect your account and create a guest account for everyone else, that way your files will stay protected from deletion by the default permissions set.

nathaniel · #3 August 13th, 2008, 10:20 AM

Is there no way to at least make it so the file cannot be deleted without administrator password?

ElDiabloConCaca · #4 August 13th, 2008, 10:41 AM

You could effectively change permissions on the file, but I don't know whether this would prevent it from actually being put into the trash. One pitfall of this is that you may not be able to mount the disk image without jumping through hoops, like perhaps mounting the image from the terminal with the "sudo" command.

...but nixgeek's got the best solution: Mac OS X is set up to be a multi-user operating system, and each unique user is meant to have their own user account. Allowing multiple people to share one account (and an "administrator" account at that! Gasp!) is counter-intuitive to the way the operating system is meant to be used.

To keep your files untouchable by other users, the correct, most efficient, and easiest solution is to use the multi-user environment as it was intended, and have each user have their own user account. That way, your files are your files and cannot be touched by others, and vice-versa. Trying to simulate a multi-user environment with only a single user will lead to frustration and issues like the one you describe. Kind of like multiple people trying to drive the same car at once -- fighting over the steering wheel, people pushing the brakes when you're trying to accelerate, changing the pre-set radio stations when you're not looking, etc... i.e., nothing but frustration and clashes.

While I realize you probably have your setup the way you do for a reason, I do highly suggest you try out the multi-user approach.

nathaniel · #5 August 13th, 2008, 11:11 AM

Thanks very much. I'll just be sure to back it up. I was just hoping there was a possibility with ACL or something.

I'll have to do some consideration of a guest account.

bbloke · #6 August 13th, 2008, 12:26 PM

Quote:

Originally Posted by nathaniel

Thanks very much. I'll just be sure to back it up. I was just hoping there was a possibility with ACL or something.

Actually, is this not possible? I thought ACLs could be used for this sort of purpose. That is: so you could potentially create a file that multiple user accounts have read/write access to, but which cannot be deleted by those users.

At this very moment, I'm away from my OS X systems and my UNIX knowledge is slowly going rusty, so you'll have to bear with me a bit! Apple has an online man page for chmod which describes the usage of ACLs. You may be able to use...

chmod +a "[user or group] deny delete" [file]

...syntax to get the result you are after.

Also, you could have a look at A. P. Lawrence's page on ACLs under OS X. I'm open to being wrong here, but I suspect this route might be worth looking into in more detail.

nixgeek · #7 August 13th, 2008, 12:47 PM

Quote:

Originally Posted by bbloke

Actually, is this not possible? I thought ACLs could be used for this sort of purpose. That is: so you could potentially create a file that multiple user accounts have read/write access to, but which cannot be deleted by those users.

At this very moment, I'm away from my OS X systems and my UNIX knowledge is slowly going rusty, so you'll have to bear with me a bit! Apple has an online man page for chmod which describes the usage of ACLs. You may be able to use...

chmod +a "[user or group] deny delete" [file]

...syntax to get the result you are after.

Also, you could have a look at A. P. Lawrence's page on ACLs under OS X. I'm open to being wrong here, but I suspect this route might be worth looking into in more detail.

I would imagine so, but if they're logged in with his account wouldn't this be moot?

bbloke · #8 August 13th, 2008, 12:59 PM

Quote:

Originally Posted by nixgeek

I would imagine so, but if they're logged in with his account wouldn't this be moot?

Oh, sure, but I was referring to this method in addition to adopting a multi-user approach, as you and ElDiabloConCaca have described!

Anyway, even if it is a case of one file being accessed through only one account, nathaniel also seemed worried about deleting the file (accidentally) himself. Using ACLs should be able to prevent that too by using "deny delete."

The Following User Says Thank You to nixgeek For This Useful Post:
nathaniel (August 13th, 2008)

The Following User Says Thank You to ElDiabloConCaca For This Useful Post:
nathaniel (August 13th, 2008)