Linux - NewbieThis Linux forum is for members that are new to Linux.
Just starting out and have a question?
If it is not in the man pages or the how-to's this is the place!
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry if this is too simple for a Linux expert, but I need some clarifications.
- Here's the need:
Create a folder for the HR department that will permit the HR team to create/modify/delete any folder/files within the hierarchy of that folder.
- Here's what's been done:
1.- Create "/shared/HR" folder
2.- Create HR group "HRTeam"
3.- Add HR users to the "HRTeam" group
4.- Set folder owner: chown -R <admin>:HRTeam /shared/HR
5.- Set permissions: chmod -R u+rwx,g+rwx,o-rwx /shared/HR
- Here's the issue:
1.- HR user Jane Doe (jdoe) creates a file and has this listing:
-rw-r--r--. jdoe users 26024 Dec 21 08:12 CA_Cities.xlsx
2.- Even if the file was created by an HRTeam member, nobody else in the HRTeam can read/modify/delete that file
To come up with a 3-digit number you need to consider what permissions you want owner, group, and user to have, and then total their values up. For example, if you want to grant the owner of a directory read write and execution permissions, and you want group and everyone else to have just read and execute permissions, you would come up with the numerical values like so:
1.- HR user Jane Doe (jdoe) creates a file and has this listing:
-rw-r--r--. jdoe users 26024 Dec 21 08:12 CA_Cities.xlsx
2.- Even if the file was created by an HRTeam member, nobody else in the HRTeam can read/modify/delete that file
you have the read flag set on group and others also read.
--
maybe try first chmod 770 file
edit: I love the arch linux wiki
# chattr +i /path/to/file
That way I could fix the gentoo dhcpcd bug. Or my laziness and think i know better how things should work.
when you use chattr +i you will have certain issue on that file. no stupid system deamon (gentoo developer developed dhcpcd) can nuke it. off topic: dhcpcd does not respect the old design how network should behave. I only talk about the gentoo shipped ebuild.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,802
Rep:
Quote:
Originally Posted by RexDeus9
Hi,
Sorry if this is too simple for a Linux expert, but I need some clarifications.
- Here's the need:
Create a folder for the HR department that will permit the HR team to create/modify/delete any folder/files within the hierarchy of that folder.
The last command makes each new object created in the directory tree owned by the "hr" group.
Create a group--using whatever user management tool you have--called "hr" and add each HR user (say: sue, linda, nick) to that group. When you're done you should see something like:
Code:
$ grep hr /etc/group
hr:x:1003:sue,linda,nick
Finally, and this is important, the user mask for each of those users needs to something other than the default of "022". I've used
Code:
umask 002
for users that need read/write access to a development tree. Put this in their profile (~/.bashrc or whatever). I put it near the end of the profile. Without changing the umask, newly created files and directories will be owned by the individual users, granted read/write access to that user, but the group access will still be read--no write access--so other users will encounter "odd" permission errors depending on what they're trying to do. Just set the umask to avoid these.
This is a pretty simple access control mechanism. For more complex controls ("sue" and "linda" can edit /shared/HR/payroll files but "nick" can only read, etc.), you'll find yourself looking into access control lists (ACLs). For a little "light" reading, try "man setfacl" and "man getfacl".
Distribution: Debian /Jessie/Stretch/Sid, Linux Mint DE
Posts: 5,195
Rep:
The problem with changing the umask is that all files created by a user will be 775. I find that often undesirable.
I though the correct solution is to put the setgid bit on the shared/HR directory. IF someone has permissions to write in this directory, all files will automatically bear the permissions of the parent directory. And all files will be owned by the HR group.
So, once shared/HR has: drwxrwsr--, all files below it will have -rwxrwxr--.
The problem with changing the umask is that all files created by a user will be 775. I find that often undesirable.
I though the correct solution is to put the setgid bit on the shared/HR directory. IF someone has permissions to write in this directory, all files will automatically bear the permissions of the parent directory. And all files will be owned by the HR group.
So, once shared/HR has: drwxrwsr--, all files below it will have -rwxrwxr--.
Did you test that? Sorry, but the setgid bit on the directory causes new files to inherit the just GID of the directory, not the group permissions.
The entire reason for the change to assigning a unique primary GID per user (as opposed to the eariler convention of putting all users in a group called "users") is to allow users to safely open up their umask to allow group access. That allows a group-shared directory to give full read/write access to files. If you don't want to do that, the alternative is to set a directory's default ACL to allow access to files. That default ACL is inherited by newly created files.
Distribution: openSUSE, Raspbian, Slackware. Previous: MacOS, Red Hat, Coherent, Consensys SVR4.2, Tru64, Solaris
Posts: 2,802
Rep:
Quote:
Originally Posted by jlinkels
The problem with changing the umask is that all files created by a user will be 775. I find that often undesirable.
I though the correct solution is to put the setgid bit on the shared/HR directory. IF someone has permissions to write in this directory, all files will automatically bear the permissions of the parent directory. And all files will be owned by the HR group.
So, once shared/HR has: drwxrwsr--, all files below it will have -rwxrwxr--.
In my reply, I DO set the gid bit in the parent directory. Files created in the directory don't always get the group write permission--it depends on the umask setting of the user creating the file. At least that's how it's behaving on OpenSuse. The only sure fire way I've run across to ensure permissions are set be default in the scenario w/o tweaking each user's umask in the original post is using ACLs (setfacl -d ...). You really have to dive into ACLs and get used to how they behave or it can be confusing.
(In a former life, there were cases where we used to control access to files/directories on VMS by setting the normal file/directory permissions to none for everyone; all access was through ACLs and rights identifiers. Blew user's minds.)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.