Normally, a directory is created with full access granted only to the owner of the file. To share the files in a directory, you must "open" access modes to a group and/or others. To open a directory, you must change permission modes. There are three questions to ask when deciding on which mode to change.
This document is a case study of a situation where you have a public directory, for example, a Web directory containing Web pages. You want everybody to have read and search access to these files. The second assumption is that you are working in a group, for example, a Web development team. You have a UNIX group created for your team. You want all members of the group to have equal and full access to all the files in the directory. Any member can create files and modify files created by other members of the group. Conversely, anybody not in the group can see the files, but they can not create new content, delete files, or modify existing files.
Using the letter codes above, we want the owner of each file to have full access, every other member of the group to also have full access—rwx—and all others to have browse access—r-x. We want this access automatically granted when new files are added. The group members can use any method to put the files in the directory, and the files will all be set consistently and correctly. For example, the Web development team might be publishing the files using the sftp protocol.
The owner of the directory always has the ability to change the permission modes of the directory. So if things are not working, the owner of the directory will have to log in to UNIX and follow the directions in this document. Other members of the group can work in this directory using a Web browser for browsing and sftp for publishing.
Following is the listing of a strauss session where we used the newgrp command to start a new shell owned by group 0217, the mkdir command to created a new directory named groupshare, the chmod command to change the permission modes to add group rwx and others r-x: g+rwx,o+rx, and checked our work with both the ls -dl command and the getfacl command.
strauss<60>% newgrp 0217 strauss<1>% mkdir groupshare strauss<2>% chmod g+rwx,o+rx groupshare strauss<3>% ls -dl groupshare drwxrwxr-x 2 dnairn 0217 512 Feb 19 12:13 groupshare strauss<4>% getfacl groupshare # file: groupshare # owner: dnairn # group: 0217 user::rwx group::rwx #effective:rwx mask:rwx other:r-x
Both the ls -dl and the getfacl commands will list all the access modes of a directory, but getfacl is more verbose and easier to interpret.
Now this directory is correct for group sharing, but new files will not be correct. New files will be owned by the group of the shell and will not have the correct permissions. If you start the shell in the correct group and set the umask command, you can make new files automatically owned and permitted properly. However if your group members put files into the directory with sftp or scp, these shell commands will not help.
Instead, we will use two commands to solve this problem. The command:
chmod g+s groupshare
will set the set groupid bit for the groupshare directory. This means that all new files will be owned by the group of the parent directory instead of that of the current shell. In this case, group 0217 will be assigned to all new files or directories. Also this set groupid bit will be set on all new directories, so the group will be properly set for all files in the hierarchy.
setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
will set the default:user, default:group, default:mask, and default:other. These defaults will be used to set the permission modes for any new file. You must set all these defaults, so this means you have a long command. That is why we used the abbreviations d:u, d:g, d:m, and d:o.
Here is a session to set both the set groupid bit and all the default access modes:
strauss<5>% chmod g+s groupshare strauss<6>% setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare strauss<7>% ls -dl groupshare drwxrwsr-x+ 2 dnairn 0217 512 Feb 19 12:13 groupshare strauss<8>% getfacl groupshare # file: groupshare # owner: dnairn # group: 0217 user::rwx group::rwx #effective:rwx mask:rwx other:r-x default:user::rwx default:group::rwx default:mask:rwx default:other:r-x
Notice the "+" sign at the end of the permission modes. This is a signal that you should use the getfacl command to look for more information. This added information shows the defaults.
You can both create the directory and set the defaults with the following shell session:
newgrp 0217 mkdir groupshare chmod g+rwxs,o+rx groupshare setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare exit
You should check these commands with the getfacl command. If all the defaults are correct then your directory should be maintenance-free—all new files will be correctly set for Web browsing and group sharing. If you have an existing directory, you can set all existing files, but you may find it easier to rename the old directory and create a new directory with the original name. Then copy the old information into the new directory and remove the old directory:
newgrp 0217 mv groupshare groupshare-old mkdir groupshare chmod g+rwxs,o+rx groupshare setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare cp -R exit
After you set the set groupid bit and permission defaults, all new files and directories will have the correct group ownership (taken from the directory), and the access modes will be correct for group sharing.
If you already have a directory with files that are not owned by the correct group or not permited properly, you need to know how to fix it. You can explicitly set all files and directories one at a time. The owner of the file or directory should:
For group 9999 and a directory, type:
chgrp 9999 directory chmod -s,g+rwxs,o+rx directory setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x directory
For group 9999 and a file, type:
chgrp 9999 file chmod g+rw,o+r file
Both the chgrp and the chmod command can be run recursively with the -R option. So with two commands on the home directory, we can change all the files you own in all directories to any depth. The setfacl command does not have a recursive switch, but it does have the ability to pass a correctly configured directory to a subdirectory. This is because the output of getfacl can be used as input to setfacl.
To change an existing directory to be group-shared by project 9999, first change to the directory and then type the following commands (Pay close attention to the dots ".")
chgrp -R 9999 . chmod -R -s,g=rw,o=r . foreach dir (`find . -type d`) chmod g+xs,o+x $dir setfacl -m d:u::rwx,d:g::rwx,d:o:r--,d:m:rwx $dir end
This has to be done by each user who owns files in the homedir. It is easier to get things set up correctly when the directory is created and before others start putting files in the directory.