Allowing a group Read-Write Access to a directory
I have two users, user1 and user2, that are both members of groupA. user2 has a folder in their home directory called folderA. If they wish to allow read-write-execute permissions for all members of groupA, how would they do this? What if folderA contains many files and additional folders that also need to have read-write-execute permission? Information regarding groups is a little ‘spotty’ across the web, so I am putting my question here in the hope someone posts a clear answer that might help others out too. Thanks!
2 Answers 2
FolderA will first need to be part of groupA — the folder’s owner or root can perform this operation
Then groupA will need rwx permissions of the folder
There are options in the chgrp and chmod commands to recurse into the directory if required.
I originally tried chown :groupname ./folder and that didnt work — as in it changed the group, but didn’t give any effective permissions
didn’t worked for me also. Folder somehow can not give write permissions to a group. Whatever I have tried.
@pbhj That has not been my experience, although I will admit to not having great depth of experience. I do need to logout/in if I have altered the user or group — the login does not pickup altered permissions until the next login. But altered file and directory permissions work immediately for me.
My own experience in this area here. Tested on Ubuntu 18.04.
Allow to write in the system folder
Give write permission to /etc/nginx/ folder.
# Check 'webmasters' group doen't exist cat /etc/group | grep webmasters # Create 'webmasters' group sudo addgroup webmasters # Add users to 'webmasters' group sudo usermod -a -G webmasters username sudo usermod -a -G webmasters vozman sudo usermod -a -G webmasters romanroskach # Group assignment changes won't take effect # until the users log out and back in. # Create directory sudo mkdir /etc/nginx/ # Check directory permissions ls -al /etc | grep nginx drwxr-xr-x 2 root root 4096 Dec 5 18:30 nginx # Change group owner of the directory sudo chgrp -R webmasters /etc/nginx/ # Check that the group owner is changed ls -al /etc | grep nginx drwxr-xr-x 2 root webmasters 4096 Dec 5 18:30 nginx # Give write permission to the group sudo chmod -R g+w /etc/nginx/ # Check ls -al /etc | grep nginx drwxrwxr-x 2 root webmasters 4096 Dec 5 18:30 nginx # Try to create file sudo -u username touch /etc/nginx/test.txt # should work sudo -u username touch /etc/test.txt # Permission denied Give write permission to /etc/systemd/system/ folder.
# List ACLs getfacl /etc/systemd/system getfacl: Removing leading '/' from absolute path names # file: etc/systemd/system # owner: root # group: root user::rwx group::r-x other::r-x # Add 'webmasters' group to an ACL sudo setfacl -m g:webmasters:rwx /etc/systemd/system # Check getfacl /etc/systemd/system getfacl: Removing leading '/' from absolute path names # file: etc/systemd/system # owner: root # group: root user::rwx group::r-x group:webmasters:rwx mask::rwx other::r-x sudo -u username touch /etc/systemd/system/test.txt # should work sudo -u username touch /etc/systemd/test.txt # Permission denied Users and groups
Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.
Overview
A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.
Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.
Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».
Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.
Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.
Permissions and ownership
The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.
A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.
Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:
total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux
The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.
total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared
In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:
Linux directory permissions for different groups
The same for the other users . under «dan» I have no permissions over the «private» directory, althou «dan» is a member of the «priv» group.
4 Answers 4
Well, I know this is relatively old, but twalberg is correct: there’s actually a relatively easy way to accomplish this with POSIX ACL’s. They’ve existed since the late 90’s/early 2000’s so I don’t know why more people don’t use them.
How to do it: Do as you’ve already done, then simply execute this command:
# setfacl -m g:god:rwx public private and in one command you get what you’re wanting. You’ll spend forever trying to figure out how to do it using ONLY traditional unix permissions.
Mikic’s advice may still be good (depending on what you’re trying to accomplish), and it might be more straight forward to reference as few groups as possible in your permissions (or maybe you want it to be apparent that «chris» isn’t a regular user, but an administrative one, again it depends on what you want to construct).
I offered something closer to what you’re trying to accomplish, because there may be situations where you’re trying to give a secondary user/group access to a directory but you don’t want to choose between «chris» not getting access to these two directories and «chris» getting access to all those other files and directories «pub» and «priv» might have access to. With ACL’s you don’t have to make those choices, which is why they were added and are now a core part of most Unix (and BSD and Linux) platforms.