Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I have an few people who work on client folders. I want them to log into the server and edit files from there.
I have a www folder. The contents of this folder should be editable only by the staff group. If a user creates a file I want anyone in that group to automatically be able to edit that file. Do I have to do a manual chgrp on all of these files?
Inside the www folder I have a folder called clients. I want anybody who is a member of the authors group to be able to edit these files. If a user creates a file in the clients folder any other user who is a member of that group should automatically be able to edit the file as well.
I know this sounds goofy, but I seem to be having a hell of a time getting this simple permissions stuff working...
Sticky bit mode: After execution of a job, the command is kept in the system memory. Originally this was a feature used a lot to save memory: big jobs are loaded into memory only once. But these days memory is inexpensive and there are better techniques to manage it, so it is not used anymore for its optimizing capabilities on single files. When applied to an entire directory, however, the sticky bit has a different meaning. In that case, a user can only change files in this directory when she is the user owner of the file or when the file has appropriate permissions. This feature is used on directories like /var/tmp, that have to be accessible for everyone, but where it is not appropriate for users to change or delete each other's data. The sticky bit is indicated by a t at the end of the file permission field:
that doesn't quite work as well, with the sticky bit set or not a file created by a member of the staff group in the www folder is not editable by anyone else in that group still
same problem goes for the clients folder
the only way that I can make it editable by anybody in that group is to chgrp or chmod it - the file is still not erasable by anyone even in that case
I'm not sure if I'm answering your question here but:
chgrp staff /www <-- makes /www owned by the group "staff"
chmod g+w /www <-- makes /www writable by the group
chmog o-w /www <-- makes it read-only by the rest of the world
chgrp authors /www/clients <-- makes /www/clients owned by the group "authors"
chmod g+w /www/clients <-- makes /www/clients writable by the group.
The other two things you should verify are:
Your groups are set up correctly (/etc/group)
You're umask is set correctly (most likely /etc/bashrc if you're using bash)
be careful about playing around with the ACL that the other person mentions. I tested it on my /home directory and it kind of fudged up everything. Even rebooting is not giving the proper permissions, even though it'll say RWXRWXRWX and not give me access to my /home directory. Weird
I'm still trying to figure this out before I do it on my real production server.
okay, I think I understand what I need to do - though I'm not sure how to go about it quite yet!
When I create a user who is a member of the staff or authors group logs in .bashrc needs to fire off umask #### so that files are automatically created with permissions of rw-rw-r--
correct?
- on a side note
I realized that in the www folder I have a folder called includes which includes passwords for database connections. It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?
- on a side note
I realized that in the www folder I have a folder called includes which includes passwords for database connections. It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?
How about creating a special group with only the apache and php services that would be allow to read the password file for the database?
When I create a user who is a member of the staff or authors group logs in .bashrc needs to fire off umask #### so that files are automatically created with permissions of rw-rw-r--
Right. Assuming you're using bash:
su to root
edit /etc/bashrc
Type in the following to make the umask of all standard users 002:
Code:
if [ $UID gt 99 ]; then
umask 002
fi
Save the file and exit.
Log out, then log back in (or cheat by ssh'ing to yourself).
At command prompt (as a standard user now, not root) type in umask and you HOPEFULLY will get "0002"
Now your default permissions are set up. Now you just need to set up your groups correctly.
------
Quote:
Originally Posted by jon23d
It seems that there is no way to not allow all users to read the contents of this folder without stopping apache and/or php from reading it as well, does that sound about right?
I'm not sure which way you want it to go so I'll try to answer both:
apache is already in the "apache" group, so you can add members to the apache group if you want ONLY apache and those specific members to read it.
But if you want it to go the other way (apache can't read it) then just remove the read permission from "others" (chmod o-r /directory) and make sure it's not owned by the group "apache". Does that answer your question?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.