Using the letter codes above, we want the owner of each file to have full access - with, every other member of the group to also have full access - "rwx" and all others to have browse access - "r-x". We want this access automatically granted when new files are added. The group members can use any method to put the files in the directory and they will all be set consistently and correctly. For example, the web development team maybe publishing the files using the ftp protocol.
The owner of the directory always has the ability to change permission modes of directory. So if things are not working the owner of the directory will have to logon to Unix, and follow the directions in this document. If things are set properly, this Unix session is limited only to initial set up and trouble shooting. Other members of the group can work in this directory using a web browser for browsing and ftp for publishing.
The following is a listing of a strauss session where we started a new shell owned by group 0217: newgrp, Created a new directory named "groupshare": mkdir, we change the permission modes to add group "rwx" and others "r-x": chmod g+rwx,o+rx, and checked our work with both the ls -dl command and the getfacl command.
strauss<60>% newgrp 0217 strauss<1>% mkdir groupshare strauss<2>% chmod g+rwx,o+rx groupshare strauss<3>% ls -dl groupshare drwxrwxr-x 2 dnairn 0217 512 Feb 19 12:13 groupshare strauss<4>% getfacl groupshare # file: groupshare # owner: dnairn # group: 0217 user::rwx group::rwx #effective:rwx mask:rwx other:r-x
Both the ls -dl command and the getfacl will list all the access modes of a directory, but getfacl is more verbose and easier to interpret. See the troubleshooting section below, if the wrong group is listed or the wrong permision modes.
Now this directory is correct for group sharing, but new files will not be correct. New files will be owned but the group of the shell and will not have the correct permissions. If you start the shell in the correct group and set the umask command you can make new files automatically owned and permitted properly. However if your group members put file here with ftp or scp, these shell commands will not help.
Instead we will use two commands to solve this problem. The command:
chmod g+s groupshare
will set the "set groupid" bit for the groupshare directory. This means all new files will be owned by the group of the parent directory instead of the current shell. In this case, group which is 0217 will be assigned to all new files or directories. Also this "set groupid" bit will be set on all new directories, so the group will be properly set for all files in the hierarchy.
The command
setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
will set the default:user, default:group, default:mask and default:other. These defaults will be used to set the permission modes for any new file. You must set all these defaults, so this means you have a long command. That is why we used the abbreviations d:u,d:g, d:m and d:o.
Here is a session using to both set the "set groupid" bit and set all the default access modes.
strauss<5>% chmod g+s groupshare strauss<6>% setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare strauss<7>% ls -dl groupshare drwxrwsr-x+ 2 dnairn 0217 512 Feb 19 12:13 groupshare strauss<8>% getfacl groupshare # file: groupshare # owner: dnairn # group: 0217 user::rwx group::rwx #effective:rwx mask:rwx other:r-x default:user::rwx default:group::rwx default:mask:rwx default:other:r-x
Notice the "+" sign at the end of the permission modes. This is a signal to you that there is more information you should look at using the getfacl command. This added information is the defaults.
You can do both create and set the defaults with ther following shell session:
newgrp 0217
mkdir groupshare
chmod g+rwxs,o+rx groupshare
setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
exit
You should check these commands with the getfacl command. If all the defaults are correct then you directory should be maintenance free in the sense all new files will be set correctly set for web browsing and group sharing. If you have an existing directory you can set all existing files, but you may find it easier rename the old directory and create a new directory with the same name. Then copy the old information into the new directory, and then remove the old directory.
newgrp 0217
mv groupshare groupshare-old
mkdir groupshare
chmod g+rwxs,o+rx groupshare
setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x groupshare
cp -R
exit
After setting the "set groupid" bit and permission defaults, all new files and directories will have the correct group ownership (taken from the directory) and the access modes with be correct for group sharing.
If you already have a directory with files which are not owned by the correct group, or not permited properly, you need to know how to fix it. You can explicitly set all files and directories one at a time. The owner of the file or directory should:
For group 9999 and a directory.
chgrp 9999 directory
chmod -s,g+rwxs,o+rx directory
setfacl -m d:u::rwx,d:g::rwx,d:m:rwx,d:o:r-x directory
For group 9999 and a file:
chgrp 9999 file
chmod g+rw,o+r file
The chgrp and the chmod command both can be run recursively with the "-R" option. So with two commands on the home directory we can change all files you own in all directories to any depth. The setfacl does not have a recursive switch, but it does have the ability ot pass a correctly configured directory to a subdirectory. This is because the output of getfacl can be used as input to setfacl
To change an existing directory be group shared by project 9999. First change to the directory and then type the following commands (Pay close attention to the dots ".")
chgrp -R 9999 .
chmod -R -s,g=rw,o=r .
foreach dir (`find . -type d`)
chmod g+xs,o+x $dir
setfacl -m d:u::rwx,d:g::rwx,d:o:r--,d:m:rwx $dir
end
This has to be done by each user who owns files in the homedir. It is easier to get things set up correctly when the directory is created and before other users start putting files in the directory.
