Happy new year to all of you.
I want to share an configuration folder for an group where i can't specify in which directory
to store the configuration. Which is true for the most of all apps i think. I made it this way and think this is
not the best way (security):

+ group "<softuser>" holds the users for access to "<program>"
+ chmod 750 for /usr/bin/<program>
+ added shell-script "/usr/bin/<program>-start" in with chmod 750,chown root,chgrp "<softuser>"
content:
#!/bin/sh
#
chgrp <softuser> -R /opt/<programdir>/.<program-config>
chown root -R /opt/<programdir>/.<program-config> # <--- user can't change owner to root !!!
chmod 770 -R /opt/<programdir>/.<program-config>
/usr/bin/<program>

so user can now start program with "<program>-start" and has access to same documents which another
user modified/created etc. This is what i want. Full Acess for everyone in the group but only in this dir.

I tried 's' flag for <program> but the rights are only then for the specific user. I thought it will be using
the group context but it sets the group to the user-group, how it should be, but not what i want in this case.
I need this on my single-pc. No network access. I have 3 accounts and want them to share this directory for the application only.

Any 'good' advises how to setup something like this in a professional and secure way ?

I forgot to write the reason why it is not a good solution is that the files will be stored with user/usergroup rights so that another account has no access. How said above this is ok but not for my purpose.

Thank you.

NOTE: This is only an untested theory.

You could create a "shared user" and have all users run the program as that user.

Put in /etc/passwd file.
shareduser::10000:10000:User to run program:/opt/programdir:/bin/bash

chown shareduser:shareduser /opt/<programdir>
chmod 770 /opt/<programdir>

In your startup script:

#!/bin/sh
#
su -c /usr/bin/<program> shareduser

Thank you for the tip but it's a gui-app and this works only on console, prompting for passwd. I tried it. But the program didn't start. Additonally i must the hidden .<program> config dir to the new 'shareuser' which i did and it does not work. I thought
it might be easier to write a script which will execute after every
lougout for the 3 users to change the group so that any user has access to the documents which were created by the others. But
.bash_logout does only work for the console. I need something for the gui Gnome/KDE or which desktop will ever be used in the future.

Maybe you have another good idea. Thanx anyway.

Yoo. Dat wars dann wohl. :-(

Well howanout substituting su with kdesu or some gnome alternate? It will then ask for the password with a fancy GUI box..

Hmmm. Thats the point. Thank you. I try it again.