LinuxQuestions.org
Review your favorite Linux distribution.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices


Reply
  Search this Thread
Old 09-13-2006, 03:22 PM   #1
jon23d
Member
 
Registered: May 2006
Location: Kennewick, WA - USA
Distribution: Ubuntu
Posts: 129

Rep: Reputation: 15
groups and file/folder permissions


I'm a little confused here...

I have an few people who work on client folders. I want them to log into the server and edit files from there.

I have a www folder. The contents of this folder should be editable only by the staff group. If a user creates a file I want anyone in that group to automatically be able to edit that file. Do I have to do a manual chgrp on all of these files?

Inside the www folder I have a folder called clients. I want anybody who is a member of the authors group to be able to edit these files. If a user creates a file in the clients folder any other user who is a member of that group should automatically be able to edit the file as well.

I know this sounds goofy, but I seem to be having a hell of a time getting this simple permissions stuff working...

gr...
 
Old 09-13-2006, 03:40 PM   #2
ygloo
Member
 
Registered: Aug 2006
Distribution: slack
Posts: 323

Rep: Reputation: 30
#

Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like /var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a t at the end of the file permission field:

Last edited by ygloo; 09-13-2006 at 03:43 PM.
 
Old 09-13-2006, 03:44 PM   #3
jon23d
Member
 
Registered: May 2006
Location: Kennewick, WA - USA
Distribution: Ubuntu
Posts: 129

Original Poster
Rep: Reputation: 15
but I want everyone in the group 'authors' to be able to edit the contents of ...../www/clients, no matter who created the file

and only members of staff to be able to edit the contents ......./www, no matter who creates the file
 
Old 09-13-2006, 03:57 PM   #4
ygloo
Member
 
Registered: Aug 2006
Distribution: slack
Posts: 323

Rep: Reputation: 30
try this -i'm not sure though..

make users who you want to edit the files belong to one group - "authors"...
they will have write privillege

drwxrw-r-x users:authors /www/clients
drwxr-xr-x root:root /www

Last edited by ygloo; 09-13-2006 at 04:22 PM.
 
Old 09-13-2006, 04:22 PM   #5
jon23d
Member
 
Registered: May 2006
Location: Kennewick, WA - USA
Distribution: Ubuntu
Posts: 129

Original Poster
Rep: Reputation: 15
that doesn't quite work as well, with the sticky bit set or not a file created by a member of the staff group in the www folder is not editable by anyone else in that group still

same problem goes for the clients folder

the only way that I can make it editable by anybody in that group is to chgrp or chmod it - the file is still not erasable by anyone even in that case
 
Old 09-13-2006, 04:32 PM   #6
ygloo
Member
 
Registered: Aug 2006
Distribution: slack
Posts: 323

Rep: Reputation: 30
check previous post -it's modified
 
Old 09-13-2006, 04:34 PM   #7
fudam
Member
 
Registered: Feb 2006
Distribution: FC
Posts: 86

Rep: Reputation: 15
I'm not sure if I'm answering your question here but:

chgrp staff /www <-- makes /www owned by the group "staff"
chmod g+w /www <-- makes /www writable by the group
chmog o-w /www <-- makes it read-only by the rest of the world

chgrp authors /www/clients <-- makes /www/clients owned by the group "authors"
chmod g+w /www/clients <-- makes /www/clients writable by the group.


The other two things you should verify are:
  1. Your groups are set up correctly (/etc/group)
  2. You're umask is set correctly (most likely /etc/bashrc if you're using bash)

Hope some of that helped...


-fudam
 
Old 09-13-2006, 04:37 PM   #8
fudam
Member
 
Registered: Feb 2006
Distribution: FC
Posts: 86

Rep: Reputation: 15
Quote:
Originally Posted by jon23d
the only way that I can make it editable by anybody in that group is to chgrp or chmod it
Sounds like a umask issue. Can you show me the ls -l of the directory? Also type in touch hello and then send the the ls -l of that too.
 
Old 09-13-2006, 04:56 PM   #9
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
LOL! Hey look, we have a similar question that I recently asked

http://www.linuxquestions.org/questi...d.php?t=482967

be careful about playing around with the ACL that the other person mentions. I tested it on my /home directory and it kind of fudged up everything. Even rebooting is not giving the proper permissions, even though it'll say RWXRWXRWX and not give me access to my /home directory. Weird

I'm still trying to figure this out before I do it on my real production server.

Last edited by Micro420; 09-13-2006 at 05:02 PM.
 
Old 09-13-2006, 05:04 PM   #10
jon23d
Member
 
Registered: May 2006
Location: Kennewick, WA - USA
Distribution: Ubuntu
Posts: 129

Original Poster
Rep: Reputation: 15
okay, I think I understand what I need to do - though I'm not sure how to go about it quite yet!

When I create a user who is a member of the staff or authors group logs in .bashrc needs to fire off umask #### so that files are automatically created with permissions of rw-rw-r--

correct?

- on a side note
I realized that in the www folder I have a folder called includes which includes passwords for database connections. It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?

thanks!
 
Old 09-13-2006, 06:12 PM   #11
Micro420
Senior Member
 
Registered: Aug 2003
Location: Berkeley, CA
Distribution: Mac OS X Leopard 10.6.2, Windows 2003 Server/Vista/7/XP/2000/NT/98, Ubuntux64, CentOS4.8/5.4
Posts: 2,986

Rep: Reputation: 45
I found this great page that should help us both. Will try this when I get home on my test server

http://www.cse.ohio-state.edu/sce/re...rectories.html

Quote:
- on a side note
I realized that in the www folder I have a folder called includes which includes passwords for database connections. It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?
How about creating a special group with only the apache and php services that would be allow to read the password file for the database?

Last edited by Micro420; 09-13-2006 at 06:16 PM.
 
Old 09-13-2006, 07:22 PM   #12
fudam
Member
 
Registered: Feb 2006
Distribution: FC
Posts: 86

Rep: Reputation: 15
Quote:
Originally Posted by jon23d
When I create a user who is a member of the staff or authors group logs in .bashrc needs to fire off umask #### so that files are automatically created with permissions of rw-rw-r--
Right. Assuming you're using bash:
  1. su to root
  2. edit /etc/bashrc
  3. Type in the following to make the umask of all standard users 002:
    Code:
    if [ $UID gt 99 ]; then
        umask 002
    fi
  4. Save the file and exit.
  5. Log out, then log back in (or cheat by ssh'ing to yourself).
  6. At command prompt (as a standard user now, not root) type in umask and you HOPEFULLY will get "0002"
Now your default permissions are set up. Now you just need to set up your groups correctly.

------

Quote:
Originally Posted by jon23d
It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?
I'm not sure which way you want it to go so I'll try to answer both:

apache is already in the "apache" group, so you can add members to the apache group if you want ONLY apache and those specific members to read it.

But if you want it to go the other way (apache can't read it) then just remove the read permission from "others" (chmod o-r /directory) and make sure it's not owned by the group "apache". Does that answer your question?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
File permissions for groups in Suse 9.3 adrenaline_NZ SUSE / openSUSE 2 12-13-2005 12:17 PM
File and directory permissions or groups kuplo Linux - Newbie 1 11-11-2005 03:06 AM
File Permissions, X and Groups mikemrh9 Linux - Software 3 09-08-2005 09:10 PM
assign a file/folder two groups? student04 Linux - General 2 12-19-2004 10:47 PM
howto folder/file sharing with specific groups kmhui Linux - Newbie 5 09-18-2004 07:05 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - General

All times are GMT -5. The time now is 09:02 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration