Make all new files in a directory accessible to a group
Suppose I have two users Alice and Bob and a group GROUPNAME and a folder foo , both users are members of GROUPNAME (using Linux and ext3). If I save as user Alice a file under foo , the permissions are: -rw-r—r— Alice Alice . However, is it possible to achieve that every file saved under some subdirectory of foo has permissions -rwxrwx— Alice GROUPNAME (i.e. owner Alice, group GROUPNAME)?
3 Answers 3
Under Linux, make sure that the filesystem you’re using supports ACLs (most unix filesystems do). You may need to change the mount options to enable ACLs: with ext2/ext3/ext4, the kernel default since 2.6.39 is to enable ACLs. On older kernels you may to need to specify the acl mount option explicitly, so the entry in /etc/fstab should look like /dev/sda1 / ext4 errors=remount-ro,acl 0 1 . Run mount -o remount,acl / to activate ACLs without rebooting. Also install the ACL command line tools getfacl and setfacl , typically provided in a package called acl .
Now that the one-time setup is over, change the directory’s ACL to give the group write permissions and to make these permissions inherited by newly created files. Under Linux:
setfacl -d -m group:GROUPNAME:rwx /path/to/directory setfacl -m group:GROUPNAME:rwx /path/to/directory If ACLs are not an option, make the directory owned by the group GROUPNAME , and set its permissions to 2775 or 2770: chmod g+rwxs /path/to/directory . The s here means the setgid bit; for a directory, it means that files created in this directory will belong to the group that owns the directory.
You’ll also need to set Alice and Bob’s umask to make all their files group-writable by default. The default umask on most systems is 022, meaning that files can have all permissions except write by group and other. Change that to 002, meaning to forbid only write-by-other permission. You would typically put that setting in your ~/.profile :
umask 002 # or 007 to have files not readable by others Automatically set group and permissions on files in a folder? [duplicate]
The test directory belongs to foo and my default group bar . I’d like new folder to belong to the apache group instead. I’d like the same behavior for files. Any ideas?
2 Answers 2
The group can be inherited by setting the SGID bit:
For inheriting permissions you need ACL: man 5 acl
You have to set a default ACL for the directory: setfacl -d -m g.
Inheriting the group ownership is easy. Simply set the SETGID bit:
chmod g+s example.com/public Anything created in the directory should now have apache as the group owner, and directories will inherit the SETGID bit.
Inheriting permissions with ACLs is not possible on all systems, and may have performance impacts in some cases. Instead of using ACLs you can set the umask for your web server to set the permissions of new files/directories.
How does umask get saved? is it per directory? per shell session? Once umask is set on a directory, will it be used for anything that interacts with that directory?
@naomik per shell session (in that it’s usually set by the umask command): serverfault.com/questions/383734/…
It would be OK to mention the Ubuntu problem. The OP doesn’t mention Ubuntu, though. Ignoring the obvious solution because of a problem with a single distro seems strange to me, considering that ACL have been a default mount option for years now.
I may have misunderstood the hint on the page you liked. I thought they meant that to be Ubuntu-specific. But I have openSUSE with coreutils 8.21-7 and I don’t have this problem. But even if that affected all distros then you still shouldn’t pretend that umask is the only way but say that ACL is the tool to use but there may be problems currently. For how long is a bug relevant, and for how long are the answers here read?
Linux — how to set group permissions for new files in advance
I want to tell Linux that each file that is created in a certain directory should have g+w in addition to the default permissions. How do I say that? I need the sticky bit of that directory, dont I ? (The directory already has drwsrwsr-x which I was hoping the new files would inherit, but obviously they dont. )
thanks, hmmm, to me this looks like a ssystem-wide setting? I only want this to happen in a certain folder. Why I need this: It is a folder for log files, where both apache and also a locally running php script (started by upstart) need to write log files into. Sometimes I clear this folder, so the files are re-created, and then it happens that the permissions are too strict. I put a «chmod g+w *.log» in the upstart script, but some of the logs are created later at certain events in the application, so this does not fully work.
2 Answers 2
There are several mechanisms related to permissions manipulations:
- umask allows you to disable permission bits per application. It doesn’t allow neither enabling permissions nor doing it per directory. It’s also not a global setting. It is a per-process attribute that is inherited from parent process. E.g. you can set its default value in init script, but programs (especially daemons) may overwrite their umask .
- sticky bit restricts directory access so that files in that directory may only be unlinked or renamed by root or the directory owner or the file owner.
- setgit bit on directory forces any new files created within that directory to have their group set to the same group that’s set on the directory. It allows to overwrite group owner, but not permissions.
- bsdgroups or grpid mount option enables setgit bit behaviour for all directories, even if setgit bit is not set.
- ACL (access control lists) allows you to set per-user and per-group permissions for a directory or file. They are also inherited from parent directory when new file is created in that directory. However, ACL permissions are masked against traditional POSIX permissions, which are set by file creator and its umask , so you can’t inherit more permissions than allowed by file creator.
All of these mechanisms except umask are linux-specific. See this question for some details about setgit bit and ACLs .
I guess non of these is a direct solution for you problem. What you can do:
- Configure programs that create those files to create them with sufficient permissions. E.g., if they create them (or can be configured so) with permissions 0777 , setting umask to 000 should be enough. See @KasunRathnayaka’s answer.
- If it’s not an option, you can use bindfs tool with —create-with-perms and related options. It allows to mount a directory to another directory and overwrite permissions and user/group owners when files are created or modified. See manual page.
How to create file as specific group
sudo chgrp www-data *yourfile* will do it for individual files.
to do it for all files within a specific directory, change the group for that directory with the same command
sudo chgrp www-data /path/to/your/dir
then use the chmod command to make all files created within that directory belong to the group the directory belongs to with
sudo chmod g+s /path/to/your/dir
i don’t want to change the group of the file. i want that file to have www-data group at the moment of creation
The command sg can execute a command under a different group ID. If you are a member of the group newgroup , this should create newfile within that group :
sg newgroup "touch newfile" We can create a simple function, based on touch and chown commands, which will create new empty files and will change their permissions simultaneously. Or when the file exists it just will change its permissions. For this purpose type in the terminal:
function touch-www < touch $1; chown $USER:www-data $1; >export -f touch-www Now we have a new command, called touch-www , and we can use it in this way:
To be possible to use this new command everywhere in the file system let’s modify the function in this way:
function touch-www < sudo touch $1; sudo chown $USER:www-data $1; >export -f touch-www Once the file have enough permissions we can edit it with the current user. So let’s assume we want to use and nano in the way described here. Let’s create new function:
function nano-www < sudo touch $1; sudo chown $USER:www-data $1; nano $1; >export -f nano-www To be these new commands permanently available we can add these lines in the bottom of the ~/.bashrc file:
function touch-www < sudo touch $1; sudo chown $USER:www-data $1; >export -f touch-www function nano-www < sudo touch $1; sudo chown $USER:www-data $1; nano $1; >export -f nano-www Sorry but I think you didn’t read the question carefully. I don’t want to change the group of the files. The keyword is «create» and not «change» what you are proposing is changing the files group after they are created.
Assuming you only want to change the group and retain the user value, try
sudo chown newuser:newgroup sample.txt
sudo chown ubuntu:www-data sample.txt
sorry maybe i wasn’t clear enough. i want the NEW files that i create to have already the www-data group!
You could create a www-data user, with www-data group as their primary [see useradd , adduser , or eg kuser ], change to that user [ su www-data ] and then all files made would be owned by that user:group.
Backup /etc/group (or the whole of /etc) first before messing with groups. Also lookup what to do if you’re locked out because of group permissions.
Or, you could alter the primary group of the user named «ubuntu» to be www-data:
sudo usermod —gid www-data ubuntu .
There may be security issues with the later as it might at some point (eg combined with other bugs) expose all files owned by that group to your web server. The point of www-data group is that only those files owned by it are allowed to be sent externally by the server (apache, nginx, whatever). Having all your standard user login files belong to that group thus creates a risk.