LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Security (http://www.linuxquestions.org/questions/linux-security-4/)
-   -   Group write access for newly created files/directories without changing umask (http://www.linuxquestions.org/questions/linux-security-4/group-write-access-for-newly-created-files-directories-without-changing-umask-716601/)

fhd 04-03-2009 12:24 PM

Group write access for newly created files/directories without changing umask
 
Hi,

I have several directories, each owned by root and a group of the same name, like this:
Code:

drwxrwsr-x 2 root group1 4096 2009-04-03 18:10 group1
drwxrwsr-x 2 root group2 4096 2009-04-03 18:10 group2
drwxrwsr-x 2 root group3 4096 2009-04-03 18:10 group3

As you may have guessed, each user of group1, group2 or group3 should have write access to the respective directory.

By setting the sgid bit, I made sure that newly created files and directories are owned by the correct group, and that directories have the sgid bit set too.

Here goes my problem:
On each newly created directory or file, the permissions are set to 755. This is because this is the default umask, and I cannot change a users umask. I actually only want files created below a particular directory to have group write access, inheriting this behaviour to newly created directories properly.

I'm not on samba or NFS, I have to do this for SSH users.
The filesystem is ext3.

I started to fool around with ACLs, but couldn't find what I was looking for.

What do you think?

Valery Reznic 04-04-2009 07:45 AM

Quote:

Originally Posted by fhd (Post 3497382)
Hi,

I have several directories, each owned by root and a group of the same name, like this:
Code:

drwxrwsr-x 2 root group1 4096 2009-04-03 18:10 group1
drwxrwsr-x 2 root group2 4096 2009-04-03 18:10 group2
drwxrwsr-x 2 root group3 4096 2009-04-03 18:10 group3

As you may have guessed, each user of group1, group2 or group3 should have write access to the respective directory.

By setting the sgid bit, I made sure that newly created files and directories are owned by the correct group, and that directories have the sgid bit set too.

Here goes my problem:
On each newly created directory or file, the permissions are set to 755. This is because this is the default umask, and I cannot change a users umask. I actually only want files created below a particular directory to have group write access, inheriting this behaviour to newly created directories properly.

I'm not on samba or NFS, I have to do this for SSH users.
The filesystem is ext3.

I started to fool around with ACLs, but couldn't find what I was looking for.

What do you think?

If you can create directories owned by root why you can't change user umask ?

And what is purpose of those group-writable files ?

jschiwal 04-04-2009 08:02 AM

It is up to the user creating a file to change the group write attribute.

You can use setfacl and create a default acl for the directory allowing write access for the group.

E.G.:
setfacl -m d:g:group1:rwx group1

Now a new file created in the group1/ directory will inherit the default group acl.

fhd 04-05-2009 06:28 AM

Quote:

Originally Posted by jschiwal (Post 3498219)
It is up to the user creating a file to change the group write attribute.

You can use setfacl and create a default acl for the directory allowing write access for the group.

E.G.:
setfacl -m d:g:group1:rwx group1

Now a new file created in the group1/ directory will inherit the default group acl.

Thank you very much, works like a charm!

Now I know that the "default" actually does something :)


All times are GMT -5. The time now is 03:03 AM.