Linux file default group

Users and groups

Users and groups are used on GNU/Linux for access control—that is, to control access to the system’s files, directories, and peripherals. Linux offers relatively simple/coarse access control mechanisms by default. For more advanced options, see ACL, Capabilities and PAM#Configuration How-Tos.

Overview

A user is anyone who uses a computer. In this case, we are describing the names which represent those users. It may be Mary or Bill, and they may use the names Dragonlady or Pirate in place of their real name. All that matters is that the computer has a name for each account it creates, and it is this name by which a person gains access to use the computer. Some system services also run using restricted or privileged user accounts.

Managing users is done for the purpose of security by limiting access in certain specific ways. The superuser (root) has complete access to the operating system and its configuration; it is intended for administrative use only. Unprivileged users can use several programs for controlled privilege elevation.

Any individual may have more than one account as long as they use a different name for each account they create. Further, there are some reserved names which may not be used such as «root».

Users may be grouped together into a «group», and users may be added to an existing group to utilize the privileged access it grants.

Note: The beginner should use these tools carefully and stay away from having anything to do with any other existing user account, other than their own.

Permissions and ownership

The UNIX operating system crystallizes a couple of unifying ideas and concepts that shaped its design, user interface, culture and evolution. One of the most important of these is probably the mantra: «everything is a file,» widely regarded as one of the defining points of UNIX. This key design principle consists of providing a unified paradigm for accessing a wide range of input/output resources: documents, directories, hard-drives, CD-ROMs, modems, keyboards, printers, monitors, terminals and even some inter-process and network communications. The trick is to provide a common abstraction for all of these resources, each of which the UNIX fathers called a «file.» Since every «file» is exposed through the same API, you can use the same set of basic commands to read/write to a disk, keyboard, document or network device.

A fundamental and very powerful, consistent abstraction provided in UNIX and compatible operating systems is the file abstraction. Many OS services and device interfaces are implemented to provide a file or file system metaphor to applications. This enables new uses for, and greatly increases the power of, existing applications — simple tools designed with specific uses in mind can, with UNIX file abstractions, be used in novel ways. A simple tool, such as cat, designed to read one or more files and output the contents to standard output, can be used to read from I/O devices through special device files, typically found under the /dev directory. On many systems, audio recording and playback can be done simply with the commands, » cat /dev/audio > myfile » and » cat myfile > /dev/audio ,» respectively.

Every file on a GNU/Linux system is owned by a user and a group. In addition, there are three types of access permissions: read, write, and execute. Different access permissions can be applied to a file’s owning user, owning group, and others (those without ownership). One can determine a file’s owners and permissions by viewing the long listing format of the ls command:

total 13740 drwxr-xr-x 2 root root 4096 Jan 12 00:33 grub -rw-r--r-- 1 root root 8570335 Jan 12 00:33 initramfs-linux-fallback.img -rw-r--r-- 1 root root 1821573 Jan 12 00:31 initramfs-linux.img -rw-r--r-- 1 root root 1457315 Jan 8 08:19 System.map26 -rw-r--r-- 1 root root 2209920 Jan 8 08:19 vmlinuz-linux

The first column displays the file’s permissions (for example, the file initramfs-linux.img has permissions -rw-r—r— ). The third and fourth columns display the file’s owning user and group, respectively. In this example, all files are owned by the root user and the root group.

total 16 drwxrwx--- 1 root vboxsf 16384 Jan 29 11:02 sf_Shared

In this example, the sf_Shared directory is owned by the root user and the vboxsf group. It is also possible to determine a file’s owners and permissions using the stat command:

Источник

How to set up default group permission in linux folder

Now i want that what ever files are copied to that public_html or new files created inside that folder then those files should have default read /write permission by john , no matter who is the owner of that file. Also i will be copying /creating files /directories by FTP , will that system work there as well or file with ftp won’t have group read /write permission i mean will umask work only files created / copied within shell or even outside shell aswell

3 Answers 3

You can achieve this using ACL. Look at the man page of setfacl/getfacl for details.

Unfortunately the syntax is a bit complex. Try something like:

setfacl -s u::rwx,g::r-x,o::r-x,m:rwx,u:john:rwx,d:u:john:rwx /home/john/public_html 

Well, umask will still aply to newly created files, but you can «override» umask as well using ACL:

setfacl -s u::rwx,g::r-x,o::r-x,m:rwx,u:john:rwx,d:u:john:rwx,d:u::rwx,d:g::r-x,d:o::r-x,d:m:rwx /home/john/public_html 

I’m not exactly sure what you’re trying to accomplish, but it looks like it could be solved with group permissions and a setgid bit on the directory.

chown john.john-contrib /home/john/public_html chmod 2775 /home/john/public_html

Then when people create files, they’ll be owned by the group ‘john-contrib’. Everyone needs to be a member of john-contrib to put files in John’s directory though.

If you really want everyone to write into John’s directory all the time without any security controls. then chmod 2777 would work, but that’s a little insane application of the /home filesystem.

Источник

Bash Scripting — How to set the group that new files will be created with?

I’m doing a bash shell script and I want to change the default group that new files are created as. I know you use umask to change the permissions. Is there something for the group?

2 Answers 2

There are a couple ways to do this:

1. You can change the default group for all files created in a particular directory by setting the setgid flag on the directory ( chmod g+s ). New files in the directory will then be created with the group of the directory (set using chgrp ). This applies to any program that creates files in the directory. Note that this is automagically inherited for new subdirectories (as of Linux 3.10). However, if subdirectories were already present, this change won’t be applied to them. Assuming that the subdirectories already have the correct group, the setgid flag can be added to them with: find . -type d -exec chmod g+s <> \; (suggested by Maciej Krawczyk in the comments)
2. If the setgid flag is not set, then the default group will be set to the current group id of the creating process. Although this can be set using the newgrp command, that creates a new shell that is difficult to use within a shell script. If you want to execute a particular command (or set of commands) with the changed group, use the command sg . sg is not a POSIX standard command but is available on Linux.

Just a small note. If you try to run chmod g+s _dir_ on a directory which has the group y, and you are running the command under user x, and user x isn’t member of the group y it wont’ work. You’ll have to run it as root.

@LEDfan ah! Excellent tip/point! This last part (user must be member of the group for it to work) is the one reason why I’ve struggled with getting this to work in the past. Thanks!

Do not use chmod -R You will apply setgid on files which creates a security problem (executable files will always run as the group owner, regardless who runs it). Use this instead to apply it for directories only find . -type d -exec chmod g+s <> \;

Источник

How to set default file permissions for all folders/files in a directory?

I want to set a folder such that anything created within it (directories, files) inherit default permissions and group. Lets call the group «media». And also, the folders/files created within the directory should have g+rw automatically.

umask does relate to permissions but I do not believe it does anything with setting a default group that is not the user him/herself.

5 Answers 5

setfacl -d -m g::rwx / setfacl -d -m o::rx /

# file: ..// # owner: # group: media # flags: -s- user::rwx group::rwx other::r-x default:user::rwx default:group::rwx default:other::r-x 

g+s will ensure that new content in the directory will inherit the group ownership. setfacl only changes the chmod, in your case sets the permission to o=rx

Note that ACL must be enabled (included as one of the mount options for the mounted file system) for the file permissions to be inherited.

You might want to consider using ‘X’ instead so it will only set execute permission on directories not files setfacl -d -m g::rwX /

This is an addition to Chris’ answer, it’s based on my experience on my Arch Linux rig.

Using the default switch ( -d ) and the modify switch ( -m ) will only modify the default permissions but leave the existing ones intact:

If you want to change folder’s entire permission structure including the existing ones (you’ll have to do an extra line and make it recursive with -R ):

# Gives group read,write,exec permissions for currently existing files and # folders, recursively. setfacl -R -m g::rwx /home/limited.users/directory # Revokes read and write permission for everyone else in existing folder and # subfolders. setfacl -R -m o::x /home/limited.users/directory # Gives group rwx permissions by default, recursively. setfacl -R -d -m g::rwx /home/limited.users/directory # Revokes read, write and execute permissions for everyone else. setfacl -R -d -m o::--- /home/limited.users/directory 

(CREDIT to markdwite in comments for the syntax of the revoke all privileges line)

Источник

Linux — Set a default Group when creating new Files with SSH/FTP How to set a default group when creating, uploading, or adding new files in Ubuntu, CentOS, Debian, and other Linux distributions

If you’ve stumbled upon this post, it most likely means that you’re trying to fix a nasty issue affecting your Linux server: every time you upload some new files to a folder (such as var/www) that has specific group access (such as www-data) using your favorite SSH or FTP(s) client, those files are created with : ownership rights — instead of :www-data permissions like you would like to.

Such behavior basically prevents Apache, NGINX, and any other service that is configured to use www-data permissions from accessing those files, as well as other users different than you, until you use chown/chgrp commands to fix it.

Is there a way to specify a default group when creating new files, instead of using your username’s group? As a matter of fact, the answer is YES. In this post, we’ll see how we can do that.

UPDATE: If you want to set default permissions for newly uploaded files/folder, don’t forget to read this post as well.

How to Set a Default Group for new Files

Here’s what we need to do to set a default group when adding new files in a folder:

Источник