[SOLVED] Can not inherit the permission from parent folder to child.

Toushi · 04-26-2011, 08:46 AM

Hello Experts!
I have setgid permission on my home directory (/home/XXXX) the permission look like below.

Code:

drwxrws---  2 toshi   jadu      4096 Apr 26 16:54 getset

If I create new directory in this getset folder the permission of getset folder could not inherit.

Code:

#cd getset
#mkdir test2
#ls |grep test2
drwxr-s---  2 toshi jadu 4096 Apr 26 16:56 test2

As I know the setgid utility allow to inherit the permission from parent directory to child directory.
Could please someone help me to find out the root cause of this and how to solve it?

Regards
Toushi

jason_not · 04-26-2011, 12:57 PM

Hello Toushi,

The setgid bit on the directory only affects the group permissions, and means two things:

1) Any files created under that directory inherits the group ownership.
2) Any directories created under that directory inherit the setgid bit, AND the group ownership.

There is no other effect. Any mode, other than group ownership is controlled by the umask at the time of file/directory creation.

The user's ownership is controlled by the user creating the file or directory.

-------

I use this system under web directories for instance:

I set all of the directories as setgid, group www-data. I set the other permissions as --- to keep anyone else out.

I add all users that need access to this directory to the www-data group.

That way, any proper user ought to be able to edit files under this directory. Any new files will automatically be owned by the correct apache user.

--jason

Toushi · 04-27-2011, 07:12 AM

Hello Jason!

Thanks for the reply!
Now I understand the setgid will not help me in my issue.

Is there any other option to inherit the permission from Parent folder to child folder?
I do not want to use umask it will breach the security.

Example:-

userA and userB are belongs to db1 group.

There is one folder (/tmp/data) has been shared for all user belongs to db1 group.

Permission on share folder is:-

drwxrwx--- 2 userA db1 4096 Apr 26 16:54 data

Now userB or userA want to create folder 'Details' in /tmp/data
And the permission of 'Details' folder should be same as data.

Q. Whenever member of group db1 create a folder under /tmp/data the permission should inherit from parent directory (data)by default.

Could you please suggest on it?

Thanks in advance!

Regards,
Toushi

jason_not · 04-27-2011, 01:06 PM

Hello Toushi,

Actually, the setgid bit may do exactly what you want, you just have to remember it only controls the group of any subdirectories or files. If you are looking for a way to force the permissions merely as a result of the working directory, I don't think it's possible under unix style permissions.

I think you might be able to simulate it though, and fallback on a cron job to set group permissions recursively.

This may be a good place to look at the system-wide shell script setups. For instance, I might define a shell function in the system's bashrc like:

Quote:

db1 () {
OLDUMASK=umask
umask <new umask>
newgrp db1
umask $OLDUMASK

}

This way, each user will inherit this shell function, and in order to use it simply types "db1" at the prompt whenever they do work in the directory in question. I haven't fully tested this, and it does require user training. In fact, now that I thought of it, I will implement it on my systems soon.

--jason

Everything after this line is what I started to write about how files and directories are created under unix/linux. I left it in for information's sake.

Let's look at what happens when the setgid bit is NOT set on a directory. Files and directories will be created with the user and default group names of the users. But what is the default group id that each user is a member of? This is listed in field number 4 of the system's passwd file. It is also shown as "gid=" on the output of id -a.

The umask controls any default file and directory permissions by subtraction. the umask cannot be used to add permissions. Thus, if permission is granted, the file/directory is created with the ownership and default group id of the user. Directory permissions are generally set with 0777 - umask. Files are set with 0666 - umask.

There are two ways to change what group id is used upon file/directory creation: changing the group the user is operating under with the 'newgrp' command, or the setgid bit and group on the working directory. To tell the truth, I haven't used the 'newgrp' command before. The directory's setgid bit is a shorthand method of this.

Thus given the original permissions:

Quote:

drwxrwx--- 2 userA db1 4096 Apr 26 16:54 data

and set userA's umask to 0022, the Details directory will look something like this:

Quote:

drwxr-xr-x 2 userA <UserA_Group> 4096 Apr 26 16:54 Details

if userB's umask is 0002, the Details directory will look something like this:

Quote:

drwxrwxr-x 2 userB <UserB_Group> 4096 Apr 26 16:54 Details

Now when we set the gid bit on the /tmp/data directory, permissions will look like this:

Quote:

drwxrws--- 2 userA db1 4096 Apr 26 16:54 data

Given the above umask values for userA and userB, when userA makes the Details directory, it will look like this:

Quote:

drwxr-sr-x 2 userA db1 4096 Apr 26 16:54 Details

and if userB creates the Details dir:

Quote:

drwxrwsr-x 2 userB db1 4096 Apr 26 16:54 Details

Note that in order for userA to create files or directories writable by userB, userA will need to alter each permission as they are created, or change his/her umask.

--jason

Toushi · 04-28-2011, 06:15 AM

Hello jason,

Now I got it!

Thank you very much to helping me to solve this problem

Regards,
Toushi