Allow owner to create & read files, but not modify or delete

You could use bindfs like:

$ ls -ld dir
drwxr-xr-t 2 stephane stephane 4096 Aug 12 12:28 dir/

That directory is owned by stephane, with group stephane (stephane being its only member). Also note the t that prevents users from renaming or removing entries that they don't own.

$ sudo bindfs -u root -p u=rwD,g=r,dg=rwx,o=rD dir dir

We bindfs dir over itself with fixed ownership and permissions for files and directories. All files appear owned by root (though underneath in the real directory they're still owned by stephane).

Directories get drwxrwxr-x root stephane permissions while other types of files get -rw-r--r-- root stephane ones.

$ ls -ld dir
drwxrwxr-t   2 root     stephane   4096 Aug 12 12:28 dir

Now creating a file works because the directory is writeable:

$ echo test > dir/file
$ ls -ld dir/file
-rw-r--r-- 1 root stephane 5 Aug 12 12:29 dir/file

However it's not possible to do a second write open() on that file as we don't have permission on it:

$ echo test > dir/file
zsh: permission denied: dir/file

(note that appending is not allowed there (as not part of your initial requirements)).

A limitation: while you can't remove or rename entries in dir because of the t bit, new directories that you create in there won't have that t bit, so you'll be able to rename or delete entries there.

The chattr +a option will allow appending only. Files may be altered that way, but only by adding (i.e. appending lines) to them. You cannot delete existing files, but create new ones. This might fit your needs:

sudo chattr -R +a /dir/to/apply/to

from man chattr

A file with the `a' attribute set can only be open in append mode for writing. Only the superuser or a process possessing the CAP_LINUX_IMMUTABLE capability can set or clear this attribute.

(note that it applies to directories, too)

So your list would look like:

echo hello > test # succeeds, because test doesn't exist, and creation is allowed
echo hello2 > test # fails, because test already exists, and overwriting is not allowed
echo hello3 >> test # succeeds, because appending is allowed
cat test # succeeds, because reads are allowed
rm test # fails, because delete is not allowed