Advanced file permissions

Q I would like to share files in a particular directory between certain (local) users. Those users should have read/write access to these files. I would like to leave the umask set at 022 for default permissions on all other files. I can create a group and set the permissions on the files in the shared directory to 660 with the group set correctly, but that doesn't solve the problem for new files, which may be created by any user. Not all the users have Linux savvy, and anyway it feels unnecessary to have to change groups and permissions by hand every time. One option would be to write a daemon to watch for new files and change permissions. Is there a better way, and has anyone done it already to save me the coding practice?

A You have discovered one of the limits of standard Linux file permissions. You could setgid the directory, meaning that any member of its group could create files in it, but they would still be writable only by the user that created them. The answer lies in ACLs (Access Control Lists) which provide much finer control over file permissions. There are three prerequisites to using ACLs. First, your kernel must include ACL support for the filesystem you are using (standard distro kernels will already have this). Then you need to mount the filesystem with ACLs enabled, by editing etc/fstab and adding acl to the list of options, for example by changing

/dev/sda5 /home ext3 defaults,noatime 0 0

to

/dev/sda5 /home ext3 defaults,noatime,acl 0 0

and either remounting the filesystem with

mount /home -o remount

or rebooting. This step is not necessary if you use XFS, as it has ACL support by default, but if you use ext2/3 or ReiserFS you'll need to change fstab and force a remount. Finally, install the acl package, which includes the userspace tools used to control ACLs. Now you can add the users to the same group, say, 'project', and set things up like this

mkdir shared
chmod 2775 shared
setfacl -m default:group:project:rwx shared

As long as your user has full write permissions in the directory where you do this, you do not need to be root. This creates the directory and makes it group-writable and executable. The last line does the clever stuff, setting a default access rule for the directory that all files have rwx permissions for all members of the project group. A default rule applies to all new files, so you need to issue this before you place any files in the directory. Or you can set existing files with

setfacl -R -m group:project:rwx shared

This has no default parameter, but -R makes it recurse over all existing files and directories. You can also set access controls for individual users, like

setfacl -m default:user:fred:r-x shared

which gives this user read-only permissions. While you are experimenting with setting ACLs, you will find these commands useful

getfacl shared
setfacl -x default:user:fred shared

The first lists the ACLs for a file or directory, the second removes them. The syntax for -x is the same as -m, except that you don't give the permissions.

Follow us on Identi.ca or Twitter

Username:   Password:
Create Account | About TuxRadar