Group Sharing a Directory

Introduction

Normally, a directory is created with full access granted only to the owner of the file. To share the files in a directory, you must "open" access modes to a group and/or others. To open a directory, you must change permission modes. There are three questions to ask when deciding on which mode to change.

  1. Do you want to enable other users to see the file names in the directory? This is called read access or r.
  2. Do you want others to be able to put files in this directory? This is call write access or w.
  3. Do you want to let others get to the contents of the directory? This is call search access or x.

This document is a case study of a situation where you have a public directory, for example, a Web directory containing Web pages. You want everybody to have read and search access to these files. The second assumption is that you are working in a group, for example, a Web development team. You have a UNIX group created for your team. You want all members of the group to have equal and full access to all the files in the directory. Any member can create files and modify files created by other members of the group. Conversely, anybody not in the group can see the files, but they can not create new content, delete files, or modify existing files.

Using the letter codes above, we want the owner of each file to have full access, every other member of the group to also have full access—rwx—and all others to have browse access—r-x. We want this access automatically granted when new files are added. The group members can use any method to put the files in the directory, and the files will all be set consistently and correctly. For example, the Web development team might be publishing the files using the sftp protocol.

The owner of the directory always has the ability to change the permission modes of the directory. So if things are not working, the owner of the directory will have to log in to UNIX and follow the directions in this document. Other members of the group can work in this directory using a Web browser for browsing and sftp for publishing.

Case study

  • Create the directory

    Following is the listing of a strauss session where we used the newgrp command to start a new shell owned by group 0217, the mkdir command to created a new directory named groupshare, the chmod command to change the permission modes to add group rwx and others r-x: g+rwx,o+rx, and checked our work with both the ls -dl command and the getfacl command.

    strauss<60>% newgrp 0217 
    strauss<1>% mkdir groupshare 
    strauss<2>% chmod g+rwx,o+rx groupshare 
    strauss<3>% ls -dl groupshare 
    drwxrwxr-x   2 dnairn   0217         512 Feb 19 12:13 groupshare 
    strauss<4>% getfacl groupshare 
    
    # file: groupshare 
    # owner: dnairn 
    # group: 0217 
    user::rwx 
    group::rwx              #effective:rwx 
    mask:rwx 
    other:r-x

    Both the ls -dl and the getfacl commands will list all the access modes of a directory, but getfacl is more verbose and easier to interpret.

  • Future additions to the directory

    Now this directory is correct for group sharing, but new files will not be correct. New files will be owned by the group of the shell and will not have the correct permissions. If you start the shell in the correct group and set the umask command, you can make new files automatically owned and permitted properly. However if your group members put files into the directory with sftp or scp, these shell commands will not help.

    Instead, we will use two commands to solve this problem. The command:

    chmod g+s groupshare

    will set the set groupid bit for the groupshare directory. This means that all new files will be owned by the group of the parent directory instead of that of the current shell. In this case, group 0217 will be assigned to all new files or directories. Also this set groupid bit will be set on all new directories, so the group will be properly set for all files in the hierarchy.

    The command:

    setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare

    will set the default:user, default:group, default:mask, and default:other. These defaults will be used to set the permission modes for any new file. You must set all these defaults, so this means you have a long command. That is why we used the abbreviations d:u, d:g, d:m, and d:o.

    Here is a session to set both the set groupid bit and all the default access modes:

    strauss<5>% chmod g+s groupshare 
    strauss<6>% setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare 
    strauss<7>% ls -dl groupshare 
    drwxrwsr-x+  2 dnairn   0217         512 Feb 19 12:13 groupshare 
    strauss<8>% getfacl groupshare  
    
    # file: groupshare 
    # owner: dnairn 
    # group: 0217 
    user::rwx group::rwx              #effective:rwx 
    mask:rwx 
    other:r-x 
    default:user::rwx 
    default:group::rwx 
    default:mask:rwx 
    default:other:r-x 

    Notice the "+" sign at the end of the permission modes. This is a signal that you should use the getfacl command to look for more information. This added information shows the defaults.

  • Create the directory and set defaults in one set of commands

    You can both create the directory and set the defaults with the following shell session:

     newgrp 0217
     mkdir groupshare
     chmod g+rwxs,o+rx groupshare
     setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
     exit 

    You should check these commands with the getfacl command. If all the defaults are correct then your directory should be maintenance-free—all new files will be correctly set for Web browsing and group sharing. If you have an existing directory, you can set all existing files, but you may find it easier to rename the old directory and create a new directory with the original name. Then copy the old information into the new directory and remove the old directory:

  •  newgrp 0217
     mv groupshare groupshare-old mkdir groupshare
     chmod g+rwxs,o+rx groupshare
     setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
     cp -R  exit  
  • Fixing old directories or files

    After you set the set groupid bit and permission defaults, all new files and directories will have the correct group ownership (taken from the directory), and the access modes will be correct for group sharing.

    If you already have a directory with files that are not owned by the correct group or not permited properly, you need to know how to fix it. You can explicitly set all files and directories one at a time. The owner of the file or directory should:

    For group 9999 and a directory, type:

    chgrp 9999 directory
    chmod -s,g+rwxs,o+rx directory
    setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x directory

    For group 9999 and a file, type:

     chgrp 9999 file
     chmod g+rw,o+r file

    Both the chgrp and the chmod command can be run recursively with the -R option. So with two commands on the home directory, we can change all the files you own in all directories to any depth. The setfacl command does not have a recursive switch, but it does have the ability to pass a correctly configured directory to a subdirectory. This is because the output of getfacl can be used as input to setfacl.

    To change an existing directory to be group-shared by project 9999, first change to the directory and then type the following commands (Pay close attention to the dots ".")

     chgrp -R 9999 .
     chmod -R -s,g=rw,o=r .
     foreach dir (`find . -type d`)
     chmod g+xs,o+x $dir
     setfacl -m d:u::rwx,d:g::rwx,d:o:r--,d:m:rwx $dir
     end 

    This has to be done by each user who owns files in the homedir. It is easier to get things set up correctly when the directory is created and before others start putting files in the directory.

Search IT Help