To understand this article you should to be familiar with Linux adva-
nced file permissions, otherwise go throw bellow link before following
this article.
Advanced File Permissions
My Obejective:
I have a folder which I want to share with "rw" permissions for a
selected group of users. Let's say the folder is /home/project and I
want to share it with the group development. What I want is not only
having users accessing files in /home/project with rw access, but also
to ensure that all files created in /home/project will have ownership
username:development and permissions -rw-rw-r--.
Sharing a directory among users in same group is one of the essential
tasks.To let a group of users work on a set of files without infringing
on security, you'll have to do this:
1.Create a common group for these users in /etc/group
# groupadd development
check group created or not
# tail -1 /etc/group
development:x:501:
2.Add user project administrator (padmin) and setup password
# useradd -g development -d /home/project -c "Project Admin" \
-m padmin
# tail -1 /etc/passwd
padmin:x:501:501:Project Admin:/home/project:/bin/bash
#passwd padmin
3.Create separate user accounts for the rest of users but specify the
same home directory.
# useradd -d /home/project/ -g development user1
# passwd user1
Add another user:
# useradd -d /home/project/ -g development user2
# passwd user2
Create as many user accounts as you want.
4.Make sure the home directory and all subdirectories are not owned by
any of the users. Use chown to surrender ownership to padmin.
# chown padmin:development /home/project/
# ls -ld /home/project/
drwxrwxr-x 18 padmin development 4096 Mar 28 16:18 /home/project/
5.Make the directories group-writable and set their SGID and Sticky
Bits with chmod 3775 (1 for sticky and 2 for SGID).
# chmod -R 3775 /home/project/
# ls -ld /home/project/
drwxrwsr-t 18 padmin development 4096 Mar 28 18:22 /home/project/
In this scenario, every user of the group has write permission on the
directory and can create files and directories, but can only delete
those he owns. SGID bit ensures that all files created in
/home/project will have ownership username:development and Sticky bit
ensures that only owner can delete files those he owns
Note that setting the SGID permission on a directory only affects the
groupID of new files and subdirectories created after the SGID bit is
set, and is not applied to existing entities. Setting the setgid bit
on existing subdirectories must be done manually.
Can You Inherit File Permissions?
When you create a file or directories under a directory the default
permission for them will be determined by your umask, files or
directories won't inherit parent directory permissions, only SGID bit
inherited by newly created directories under it. So even your shared
directory has group writable, you can't edit other users files.
Login as user1 and create a temp file.
# su – user1
$ touch temp ; ls -l temp
-rw-r--r-- 1 user1 development 0 Mar 28 18:54 temp
Now logins as user2 and try to edit temp file.
# su - user2
$ cat > temp
-bash: temp: Permission denied
There is no way to inherit permissions from a directory, it's contro-
lled by the process's umask. But there is a way to make file permissi-
ons group writable when it is created.Add umask 002 command to .bashrc
file if it exist, otherwise create it and add the command.
# su - padmin
$ ls -l .bashrc
-rwxrwsr-t 1 padmin development 124 Mar 28 13:05 .bashrc
$ cat >> .bashrc
umask 002
Ctrl+d
Now login as user1 and create a temp file.
# su - user1
$ touch temp ; ls -l temp
-rw-rw-r-- 1 user1 development 0 Mar 28 19:38 temp
File created with default group writable permissions.
Note: Inform already logged in users to logout and login again.
Have you thought about using ACLs? They will give you much finer
grained control over the permissions you can set on files and directo-
ries. ACLs will also allow you to set a default mask for any given
directory.
To know more about ACLs(Access Control Lists) Google it as Linux acls
or wait for my next article.
Sunday, March 28, 2010
Posted by venu k
6 comments | 11:26 AM
Subscribe to:
Post Comments (Atom)
This is exactly what I was looking for, thank you for taking the time to write it down.
ReplyDeleteHowever, one thing I don't understand (and doesn't work for me): How can the umask of user padmin affect the permissions of user1? Again, I didn't get this to work. I had to change the umask of user1, which is obviously exactly what we're trying to prevent.
Any enlightenment is appreciated.
- Michael
@Michael
ReplyDeleteWhat is the home directory of user1?
/home/project
padmins .bashrc file exist in /home/project directory
so it effect on all users.
I think u have created different home directory for user1.
This is perfect.
ReplyDeleteLooking for days!
Everybody who whants to share,edit files together whitin the same group but stil want some protection againts outside user.. This is it.
Just keep in mind if you are using sftp adding umask 002 to ~/.bashrc does not work.
ReplyDeleteYou need to set the umask in the sshd_config file
Subsystem sftp /usr/lib/openssh/sftp-server -u 0002
A per directory control is really needed.
I will see and refer some information in your post. thank you.
ReplyDeleteNice blog and absolutely outstanding. You can do something much better but i still say this perfect.Keep trying for the best...
ReplyDeleteEmbedded System training in Chennai | Embedded system training institute in chennai | PLC Training institute in chennai | IEEE final year projects in chennai | VLSI training institute in chennai