change permission of directory and all its sub-directories/files recursively

whissama · 05-04-2018, 06:02 AM

I have search around but can't find the correct answer.

How do I change the permission of a directory and all its sub-directories/files then also when a user creates a file or directory this must also follow the same permissions set at the beginning.

Basically this is what i want to do:

Keep in mind I am running a Ubuntu Server 16.04.3 with 2 virtual hosts (so 2 separate IP's used)

1= create a new virtual host (i have completed this)
2= create a new directory /var/www/example ()i have completed this)
3= created new group and user with the same name(as i wanted to mimic the same as www-data user and group.)
3= change ownership of directory:
-- used command: sudo chown -R user:group /var/www/example (this change the owner to my desired owner and group owner)

4= set permissions of this directory to 775
-- used command: sudo chmod -R 775 /var/www/example (this changed the permissions)

after all of these done i am still able to use a user to create a file which is good as this user is in the group i created but the thing is that the permissions are all wrong and the file owner is also wrong. (the user i used is also part of another group that is used on the other virtual host).

Please guide me to a solution. thanks

_roman_ · 05-04-2018, 06:31 AM

are you aware of user and group "user" numbers

I usually set my user to my birthdate DDMM (so when i access wiht different distros, it doesn not matter, as it is awlays my birthday user code.
and i set my groupid also to the same number

I think the thinking in usernames is just wrong. afaik the system thinks in usernumber and groupnumber. the name is just an abreviation in my point of view

I also think the user definition just translates it into those numbers.

/etc/passwd should give a hint

Turbocapitalist · 05-04-2018, 06:43 AM

It's a little complicated in the default file systems used in GNU/Linux. I wrote a short blog post about setting group permissions for directories using either the setGUID bit or ACLs. See if that helps or if it brings up more questions.

whissama · 05-07-2018, 05:09 AM

Thanks Turbocapitalist for the link opened my eyes to a lot.

I have done these:

# chgrp staff /var/www/example.com
# chmod g+s /var/www/example.com
# find /var/www/example.com -type d -exec chmod g+s {} +
# setfacl -m "default:group::rwx" /var/www/example.com
# find /var/www/example.com -type d -exec setfacl -m d:g::rwx {} +
# find /var/www/example.com -type d -exec chmod g+rwx {} +

Now when user1 creates a file then that file inherits the groups name but the user1 becomes the owner. The permissions of that created file becomes rw-rw-r-- user1.
Another user called user2 who is part of the group who owns the directory /var/www/example.com then goes to the file just created by user1 and can edit this file. The user2 can edit without any problem on the server via Putty however when editing the file via WINscp an error pops up saying "Upload of file.html was successful, but error occurred while setting the permission and/or timestamp." The user2 is using a windows pc to edit files using WINscp. This is very weird to me.

The other thing is are the above steps correct when changing ownership of directory group then the chmod,find and setfacl.

I first did it your way in the blog:

groupadd staff
chown -R root:staff /var/www/example.com/
find /var/www/example.com/ -type d -exec chmod u=rwx,g=rwxs,o=rx "{}" \;
find /var/www/example.com/ -type f -exec chmod u=rw,g=rw,o=r "{}" \;

setfacl -b -m group:staff:rwx,default:group:staff:rw- /var/www/example.com/

I then changes the find /var/www/example.com/ -type f -exec chmod u=rw,g=rw,o=r "{}" \; to find /var/www/example.com/ -type f -exec chmod u=rwx,g=rwx,o=rx "{}" \;
but then the permissions were still coming up as rw-rw-r which i think is the reason for that error i am getting in WINscp. This is now getting so confusing. Am i understanding it wrong?

Turbocapitalist · 05-07-2018, 05:37 AM

Quote:

Originally Posted by whissama

Thanks Turbocapitalist for the link opened my eyes to a lot.

I have done these:

Code:

# chgrp staff /var/www/example.com
# chmod g+s /var/www/example.com
# find /var/www/example.com -type d -exec chmod g+s {} +
# setfacl -m "default:group::rwx" /var/www/example.com
# find /var/www/example.com -type d -exec setfacl -m d:g::rwx {} +
# find /var/www/example.com -type d -exec chmod g+rwx {} +

First, the group permissions must be set to allow writing. Just doing +s leaves too much up to the umask, so to set an absolute value the second line should be like this one, followed by a verification:

Code:

chmod g=rwxs /var/www/example.com
ls -lhd /var/www/example.com

Either way the ls should show the group can write.

Second, are those users in the group 'staff' on that machine?

Code:

groups user1 user2

And the ACL is there to override the umask. So it may or may not be needed. However, you can view it:

Code:

gefacl /var/www/example.com

whissama · 05-07-2018, 07:08 AM

I have done what you suggested above however when user1 creates a file then the permissions for the file is still rw-rw-r. Which is 664 i think? when i want it to be 774 (rwxrwxr--).

The users are on the machine. When i run the command "groups user1 user2" then they do show that both are in the staff group.

This is my output when i run the command "getfaclt /var/www/example.com":

getfacl: Removing leaing '/' from absolute path names
# file: var/www/example.com
# owner: root
# group: staff
# flags: -s-
user::rwx
group::rwx
group:staff:rwx
mask::rwx
other::r-x
default:user::rwx
default:group:staff:rwx
default:mask::rwx
default

ther::r-x