Getting new files to inherit group permissions on Linux

  • I am having a problem with permissions on a Linux server. I am used to BSD. When a directory is owned by a group the user who owns it isn't in such as www-data, files created in it will be owned by that group. This is important because I want files to be readable by the webserver (which I will not run as root) but so a user can still put new files in the directory. I can't put the users in www-data because then they can read every other users websites.

    I want the webserver to read all websites, I want users to be able to change their own.

    The permissions are set like this on the folders at the moment....

    drwxr-x--- 3 john www-data 4096 Feb 17 21:27 john

    It is standard behavior on BSD for permissions to work this way. How do I get Linux to do this?

    Can you use ACLs?

  • slm

    slm Correct answer

    7 years ago

    It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.


    $ whoami
    $ groups
    saml wheel wireshark

    setup a directory with perms + ownerships

    $ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
    $ sudo chown saml.apache somedir
    $ ll -d somedir/
    drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/

    touch a file as saml in this dir

    $ whoami
    $ touch somedir/afile
    $ ll somedir/afile 
    -rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile

    This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).


    If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.


    $ ll -d somedir
    drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir

    set permissions

    $ sudo setfacl -Rdm g:apache:rx somedir
    $ ll -d somedir/
    drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/

    Notice the + at the end, that means this directory has ACLs applied to it.

    $ getfacl somedir
    # file: somedir
    # owner: saml
    # group: apache
    # flags: -s-


    $ touch somedir/afile
    $ ll somedir/afile 
    -rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
    $ getfacl somedir/afile
    # file: somedir/afile
    # owner: saml
    # group: apache
    group::r-x              #effective:r--
    group:apache:r-x        #effective:r--

    Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.

    That seems to provide the functionality I wanted, thanks.

    This seems to solve my similar problem, too. However, I don't quite understand the last sentence: "This forces any new files to only have their r bit enabled." Why is the x permission not enabled? Is there a way to enable it by default??

    @yaobin I think it's a security thing, you don't really want to have a file executable by default

    This doesn't work with `unzip`? - look at the man page of `unzip`. Specifically the `-X` switch.

    is that a typo in the chown command in the first example: `sudo chown saml.apache somedir` or is the period equivalent to : in this case (the man page doesn't say it is)?

    @RufusVS - it's equivalent, you can use either.

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM