Now, here is the rub, the asterisk user will not be able to delete a file it doesn’t have write permissions to directly even if ‘self inflicted’ , but because it is the owner of said file, it can but only after the kernel sends it an ‘exception’ it chooses to accept . Hopefully the http code will not be able to bypass that, but if it does, you will need to change either the ownership away from the asterisk user, or make it immutable but leave the Readable permission to the asterisk group/user , both of these require ‘privilege escalation’ which you can’t do in the post recording script