Getting new files to inherit group permissions on Linux

  • I am having a problem with permissions on a Linux server. I am used to BSD. When a directory is owned by a group the user who owns it isn't in such as www-data, files created in it will be owned by that group. This is important because I want files to be readable by the webserver (which I will not run as root) but so a user can still put new files in the directory. I can't put the users in www-data because then they can read every other users websites.

    I want the webserver to read all websites, I want users to be able to change their own.

    The permissions are set like this on the folders at the moment....

    drwxr-x--- 3 john www-data 4096 Feb 17 21:27 john
    

    It is standard behavior on BSD for permissions to work this way. How do I get Linux to do this?

    Can you use ACLs?

  • slm

    slm Correct answer

    7 years ago

    It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.

    Example

    $ whoami
    saml
    
    $ groups
    saml wheel wireshark
    

    setup a directory with perms + ownerships

    $ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
    $ sudo chown saml.apache somedir
    $ ll -d somedir/
    drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/
    

    touch a file as saml in this dir

    $ whoami
    saml
    
    $ touch somedir/afile
    $ ll somedir/afile 
    -rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile
    

    This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).

    ACLs

    If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.

    before

    $ ll -d somedir
    drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir
    

    set permissions

    $ sudo setfacl -Rdm g:apache:rx somedir
    $ ll -d somedir/
    drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/
    

    Notice the + at the end, that means this directory has ACLs applied to it.

    $ getfacl somedir
    # file: somedir
    # owner: saml
    # group: apache
    # flags: -s-
    user::rwx
    group::r-x
    other::---
    default:user::rwx
    default:group::r-x
    default:group:apache:r-x
    default:mask::r-x
    default:other::---
    

    after

    $ touch somedir/afile
    $ ll somedir/afile 
    -rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
    $ 
    
    $ getfacl somedir/afile
    # file: somedir/afile
    # owner: saml
    # group: apache
    user::rw-
    group::r-x              #effective:r--
    group:apache:r-x        #effective:r--
    mask::r--
    other::---
    

    Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.

    That seems to provide the functionality I wanted, thanks.

    This seems to solve my similar problem, too. However, I don't quite understand the last sentence: "This forces any new files to only have their r bit enabled." Why is the x permission not enabled? Is there a way to enable it by default??

    @yaobin I think it's a security thing, you don't really want to have a file executable by default

    This doesn't work with `unzip`?

    @datasn.io - look at the man page of `unzip`. Specifically the `-X` switch.

    is that a typo in the chown command in the first example: `sudo chown saml.apache somedir` or is the period equivalent to : in this case (the man page doesn't say it is)?

    @RufusVS - it's equivalent, you can use either.

License under CC-BY-SA with attribution


Content dated before 6/26/2020 9:53 AM