Getting new files to inherit group permissions on Linux
I am having a problem with permissions on a Linux server. I am used to BSD. When a directory is owned by a group the user who owns it isn't in such as www-data, files created in it will be owned by that group. This is important because I want files to be readable by the webserver (which I will not run as root) but so a user can still put new files in the directory. I can't put the users in www-data because then they can read every other users websites.
I want the webserver to read all websites, I want users to be able to change their own.
The permissions are set like this on the folders at the moment....
drwxr-x--- 3 john www-data 4096 Feb 17 21:27 john
It is standard behavior on BSD for permissions to work this way. How do I get Linux to do this?
It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.
$ whoami saml $ groups saml wheel wireshark
setup a directory with perms + ownerships
$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir $ sudo chown saml.apache somedir $ ll -d somedir/ drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/
touch a file as saml in this dir
$ whoami saml $ touch somedir/afile $ ll somedir/afile -rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile
This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).
If you want to get a bit more control over the permissions on the files that get created under the directory,
somedir, you can add the following ACL rule to set the default permissions like so.
$ ll -d somedir drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir
$ sudo setfacl -Rdm g:apache:rx somedir $ ll -d somedir/ drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/
+at the end, that means this directory has ACLs applied to it.
$ getfacl somedir # file: somedir # owner: saml # group: apache # flags: -s- user::rwx group::r-x other::--- default:user::rwx default:group::r-x default:group:apache:r-x default:mask::r-x default:other::---
$ touch somedir/afile $ ll somedir/afile -rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile $ $ getfacl somedir/afile # file: somedir/afile # owner: saml # group: apache user::rw- group::r-x #effective:r-- group:apache:r-x #effective:r-- mask::r-- other::---
Notice with the default permissions (
setfacl -Rdm) set so that the permissions are (
r-x) by default (
g:apache:rx). This forces any new files to only have their
This seems to solve my similar problem, too. However, I don't quite understand the last sentence: "This forces any new files to only have their r bit enabled." Why is the x permission not enabled? Is there a way to enable it by default??
@yaobin I think it's a security thing, you don't really want to have a file executable by default
is that a typo in the chown command in the first example: `sudo chown saml.apache somedir` or is the period equivalent to : in this case (the man page doesn't say it is)?