LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 12-09-2011, 01:52 PM   #1
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Rep: Reputation: Disabled
Question Permission User&Group


Hi everyone, I have a simple question (I hope).

This is the scenario:

- 3 different users created as: adduser -G "namegroup" "nameuser"

- 1 directory with grant: chown nobody:namegroup /home/dir

What should I do if I want that only the 3 users con have access to /home/dir?
..and what should I do so that the owner of the files that they create is "namegroup"?!

Tnx
 
Old 12-09-2011, 02:52 PM   #2
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
Assuming all three users are members of a special group (their default should be users), you would
Code:
su -
cd /home
chmod 770 dir
chown -R nobody.namegroup dir
That will give the three users read-write access to /home/dir and there will be no access for any other user (except, of course, root).

Actually, your three users should be members of a number of groups; if you enter
Code:
su - user
groups
exit
you should see something like this for each of those users
Code:
users lp floppy dialout audio video cdrom plugdev power usbfs netdev scanner namegroup
If you're going to add a user account to a group, you should do it like this:
Code:
usermod -a -G groupname user01 [user02] [user03] [...]
See this part of man usermod:
Code:
-G, --groups GROUP1[,GROUP2,...[,GROUPN]]]
    A list of supplementary groups which the user is also a member of. Each group is separated from the
    next by a comma, with no intervening whitespace. The groups are subject to the same restrictions as
    the group given with the -g option.

    If the user is currently a member of a group which is not listed, the user will be removed from the
    group. This behaviour can be changed via the -a option, which appends the user to the current
    supplementary group list.
Hope this helps some.
 
Old 12-10-2011, 06:30 AM   #3
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
Hi tronayne, tnx for ur answer

I did what u said, and look this:

Code:
[user01@linuxlab home]$ ll
total 36
drwx------. 2 root   root     16384 Nov 20 16:13 lost+found
drwxrwx---. 2 nobody sharegrp  4096 Dec 10 12:13 shared
drwx------. 4 user01 user01    4096 Dec 10 12:15 user01
drwx------. 4 user02 user02    4096 Dec 10 12:15 user02
drwx------. 4 user03 user03    4096 Dec 10 12:16 user03
[user01@linuxlab home]$ cd shared/
[user01@linuxlab shared]$ ll
total 0
[user01@linuxlab shared]$ touch hello
[user01@linuxlab shared]$ ll
total 0
-rw-rw-r--. 1 user01 user01 0 Dec 10 12:18 hello
I solved part of my problem..cause, as u can see, when I create a file (hello file) in the shared directory, the owner of that file is the user and not the group

I need to setgid?!
Is it the same to make sharegrp the ower of the file?

..and, for example, if I want that user03 cant read, write and execute nothing in the shared dir, BUT always as member of sharegrp, what I must do?!I need to use ACL?

Tnx again

Last edited by Nibaly; 12-10-2011 at 06:34 AM.
 
Old 12-10-2011, 07:18 AM   #4
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
I solved (part of "problem") with ACLs

Code:
[root@linuxlab home]# setfacl -m u:user03:--- /home/shared
[root@linuxlab home]# getfacl /home/shared
getfacl: Removing leading '/' from absolute path names
# file: home/shared
# owner: nobody
# group: sharegrp
user::rwx
user:user03:---
group::rwx
mask::rwx
other::---

[root@linuxlab home]# su - user03
[user03@linuxlab ~]$ cd ..
[user03@linuxlab home]$ cd shared/
-bash: cd: shared/: Permission denied
Tnx

Last edited by Nibaly; 12-10-2011 at 07:59 AM.
 
Old 12-10-2011, 07:55 AM   #5
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
Now..the "last thing" is this:

"I solved part of my problem..cause, as u can see, when I create a file (hello file) in the shared directory, the owner of that file is the user and not the group

I need to setgid?!
Is it the same to make sharegrp the ower of the file?"

Can anyone help me?

Tnx
 
Old 12-10-2011, 09:17 AM   #6
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
I think maybe we're missing something about the concept of groups in Unix and Linux systems. So let's take a swing at explaining what users and groups are and what they're for; from http://www.centos.org/docs/5/html/De...rs-groups.html
Quote:
Users can be either people (meaning accounts tied to physical users) or accounts which exist for specific applications to use.

Groups are logical expressions of organization, tying users together for a common purpose. Users within a group can read, write, or execute files owned by that group.

Each user and group has a unique numerical identification number called a userid (UID) and a groupid (GID), respectively.

A user who creates a file is also the owner and group owner of that file. The file is assigned separate read, write, and execute permissions for the owner, the group, and everyone else. The file owner can be changed only by the root user, and access permissions can be changed by both the root user and file owner.
From your listing above, it appears that you've created users with their user ID also being their group ID. Uh, there's not polite way to say this, no, you do not want to do that.

When you add a user account, that account will belong to certain default groups with the primary default group being users (on every system I've seen anyway). They do not and should not belong to a group named their user account name (think about it: what would that accomplish?).

The idea is that you have an identity (your user account name) and you belong to, oh, a club of other users. Every member of the club has his or her own name and shares a common identity with every other member of the club. The big club is users (yes, that's the actual name of the group: users). The little club is shared and only certain member of the big club belong to the little club.

Another way to look at this is say you've got 15 employees. They all have unique names (user IDs) and they all belong the the same group (users or employees), there are eight men and seven women. There are separate toilet facilities for men and women so the eight men also belong to a group men and the seven women also belong to a group women; don't forget that they all belong to the employee group (users).

What you wanted to do was create a separate group, shared, and add three users to that group in addition to their default group users.

What you apparently did do was add a group name for each user ID that was the same name as their user ID (and you probably are going to want to undo that at some point).

So, what to do, what to do.

When someone (or a manual page) gives an example where some of the arguments are enclosed in brackets; e.g., [user02], that means that those arguments are optional and you should look at the manual page for the proper syntax -- I should have explained that and I apologize for not having done so.

Let's get your users to be members of the group shared:
Code:
usermod -a -G shared user01,user02,user03
(where "user01,user02,user03" is the actual names of users to be added to the shared group).

You have created a directory /home/shared. Because these users' default group is users and you want these three users to also be members of shared, they should do this to work in /home/shared
Code:
newgrp shared
cd /home/shared
<do stuff>
newgrp
Please, read the manual page for newgrp to understand what the above does.

Now, here's the tricky part -- fixing things.

Log in as a user, open a terminal window and do this
Code:
groups
and post that.

Also post this:
Code:
cat /etc/group
and post that.

Finally, log in as root (or use su -) and create a user, say sample with the adduser utility -- accept all the default values (except, you know, the user ID). Then log in as that user and repeat
Code:
groups
and post that.

You can remove the user sample with the userdel utility like this
Code:
userdel -r sample
Hope this helps some.
 
Old 12-10-2011, 04:01 PM   #7
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
Quote:
Originally Posted by Nibaly
I need to setgid?!
Is it the same to make sharegrp the ower of the file?
Yes, setting setgid on the directory will automatically cause new files to inherit group ownership from the parent directory. For example:
Code:
root@localhost:~# mkdir /home/staffshare
root@localhost:~# ls -ld /home/staffshare/
drwxr-xr-x 2 root root 4096 Dec 10 14:40 /home/staffshare/
root@localhost:~# chown root:staff /home/staffshare/
root@localhost:~# ls -ld /home/staffshare/
drwxr-xr-x 2 root staff 4096 Dec 10 14:40 /home/staffshare/
root@localhost:~# chmod 2770 /home/staffshare/
root@localhost:~# ls -ld /home/staffshare/
drwxrws--- 2 root staff 4096 Dec 10 14:40 /home/staffshare/
root@localhost:~# cd /home/staffshare/
root@localhost:/home/staffshare# ls -l
total 0
root@localhost:/home/staffshare# touch testfile
root@localhost:/home/staffshare# ls -l
total 0
-rw-r--r-- 1 root staff 0 Dec 10 14:42 testfile
root@localhost:/home/staffshare# mkdir subdir
root@localhost:/home/staffshare# ls -l
total 4
drwxr-sr-x 2 root staff 4096 Dec 10 14:46 subdir
-rw-r--r-- 1 root staff    0 Dec 10 14:42 testfile
root@localhost:/home/staffshare#
That's a lot of output, but it shows two important things:
1. The "extra" leading '2' on the chmod command represents the part necessary to get the setgid bit turned on.
2. Creating a subdirectory within a setgid directory causes the subdirectory to inherit the setgid bit (as well as the group ownership)

As to your problem earlier, yes, ACLs are what you need if you require different permission levels within a group. For instance, you may have a software development team with two parts: developers and testers. You want them all to do their work in one common directory tree, but you do not want the testers to have write permissions on the project's source files. Likewise, you do not want the developers to have write access to the testers's tests or their testing reports.

While you may be able to create a complex scheme of project-group+project-developer-group+project-tester-group, it gets unwieldy if, for instance, one person is BOTH a developer (for portion A) and a tester (for portion B).

Quote:
Originally Posted by tronayne
From your listing above, it appears that you've created users with their user ID also being their group ID. Uh, there's not polite way to say this, no, you do not want to do that.
Not trying to be combative, but the maintainers of Debian, Ubuntu, CentOS, and Fedora would disagree with you. By default, every new user added to the system is added to a group with the same name as the user's name. The group ID may also be the same value as the user ID. As far as the system is concerned, there is no relation between the two IDs. They are just numbers used to look up information in separate tables.

It should be easy to verify, because the user's home directory should have username:username ownership.

In addition to the user-specific group, the new user is automatically added to other groups as well (e.g. users, cdrom, floppy, audio, etc. depending on system configuration).

I have encountered setups where the users do not have a unique group created, but my experience is those systems are not the norm. Also, they were usually corporate, heavily configured environments.

EDIT:
Nothing substantive--just tried to add color to highlight ownership in the above commands.

Last edited by Dark_Helmet; 12-10-2011 at 04:55 PM.
 
1 members found this post helpful.
Old 12-10-2011, 05:11 PM   #8
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
Quote:
Originally Posted by Dark_Helmet View Post
Not trying to be combative, but the maintainers of Debian, Ubuntu, CentOS, and Fedora would disagree with you. By default, every new user added to the system is added to a group with the same name as the user's name. The group ID may also be the same value as the user ID. As far as the system is concerned, there is no relation between the two IDs. They are just numbers used to look up information in separate tables.
Well. I've learned something today.

I come from a System V and Solaris background and have exclusively used Slackware since adopting Linux; never seen that behavior when adding users to a system over the past, oh, lordy, 30 years or so. Users get a unique UID and default to group users and that's pretty much that.

Thanks for the education!
 
Old 12-10-2011, 06:14 PM   #9
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
Ah, see, my experience with Solaris is limited to say the least. The last hands-on I had with Solaris was 14 years ago in college on "pizza boxes" set up in the computer science labs. So I certainly wouldn't be aware if Solaris evolved a different philosophy re: user groups.

At the risk of beating a dead horse, my intention was not to be rude or condescending. I hope no one sees it that way.
 
Old 12-11-2011, 08:21 AM   #10
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
First: Tnx to everyone for your help

Second: I solved doing this:

Code:
[root@linuxlab home]# chmod -R 4770 shared/
[root@linuxlab home]# ll
total 44
drwx------. 2 root   root     16384 Nov 20 16:13 lost+found
drwsrwx---+ 2 nobody sharegrp  4096 Dec 11 14:14 shared
drwx------. 4 user01 user01    4096 Dec 10 13:37 user01
drwx------. 4 user02 user02    4096 Dec 10 12:15 user02
drwx------. 4 user03 user03    4096 Dec 10 13:36 user03
[root@linuxlab home]# usermod -g sharegrp user01
[root@linuxlab shared]# su - user01
[user01@linuxlab ~]$ cd /home/shared/
[user01@linuxlab shared]$ ll
total 4
-rw-r--r--+ 1 root   root   0 Dec 10 12:56 aclfile
-rw-rw-r--. 1 user01 user01 0 Dec 10 12:18 hello
[user01@linuxlab shared]$ touch testfile
[user01@linuxlab shared]$ ll
total 4
-rw-r--r--+ 1 root   root     0 Dec 10 12:56 aclfile
-rw-r--r--. 1 user01 sharegrp 0 Dec 11 14:14 testfile
-rw-rw-r--. 1 user01 user01   0 Dec 10 12:18 hello
Tnx again for all your support and time
 
Old 12-11-2011, 08:44 AM   #11
tronayne
Senior Member
 
Registered: Oct 2003
Location: Northeastern Michigan, where Carhartt is a Designer Label
Distribution: Slackware 32- & 64-bit Stable
Posts: 3,541

Rep: Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060Reputation: 1060
Well, I certainly don't feel condescended to -- honest to gosh, I have never seen a user name and user ID being automagically assigned to a group name and group ID (and really can't imagine why that would be done or what benefit it would offer, but I suppose there's a good reason for doing it).

Sun Solaris is based on SVR4 where earlier SunOS was Berkeley (BSD) based (and I never used one of those, came to Sun from SVR4 servers at Solaris). I actually chose Slackware because it's the most like SVR4 of the Linux distributions -- and the most un-fooled-around-with of any Linux distributions I've looked at -- in addition to being rock-solid and dependable. The migration from Solaris to Slackware was and remains trivial (and I still develop for both platforms with only occasional insignificant tweaks).

But, bottom line, you've solved the problem for the OP and that's the most important thing. Good on ya.
 
Old 12-11-2011, 01:05 PM   #12
Dark_Helmet
Senior Member
 
Registered: Jan 2003
Posts: 2,786

Rep: Reputation: 373Reputation: 373Reputation: 373Reputation: 373
Quote:
Originally Posted by Nibaly
Second: I solved doing this:
Code:
[root@linuxlab home]# chmod -R 4770 shared/
<snip>
That command shouldn't work. The leading 4 of the permissions sets the setuid bit on a directory. My understanding is that the setuid bit on a directory is ignored (see wikipedia: Setuid)

I'm glad it's working for you, but the information I have would suggest it's working for some other reason. Double-check other changes you have made so that you can be certain what you did that fixed it. If indeed it's the setuid bit, then great. But, sort of like tronayne, I've never seen a system work like that. That doesn't mean it's impossible though.

Quote:
Originally Posted by tronayne
can't imagine why that would be done or what benefit it would offer
I can't say with certainty, but I think I've read that it's done that way to prevent inadvertent file sharing of a user's home directory. If all users belong to the "user" group, then there's the potential that other members of "users" can snoop around in a specific user's home directory if careful attention is not given to permissions. And as an aside, I remember when I was new to linux that I would "chmod 777" files whenever I tried to "debug" something to make sure permissions were not my problem. Anyway, not important.
 
Old 12-11-2011, 02:44 PM   #13
Nibaly
LQ Newbie
 
Registered: Nov 2011
Posts: 7

Original Poster
Rep: Reputation: Disabled
U are righ Dark_Helmet, my error, the right command is:

Code:
[root@linuxlab home]# chmod -R 2770 shared/


Tnx again
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
User & group permission confusion A32 Linux - Newbie 12 08-31-2014 08:46 PM
[SOLVED] query on user group permission deep27ak Linux - Newbie 5 11-17-2011 07:17 AM
lp permission assign to user group syedali Linux - Desktop 0 08-06-2011 04:17 AM
How can we set permission type on a file to a particular user in a group ? rakeshkumar.techie Linux - Newbie 3 01-20-2011 10:30 AM
smb permission for (sub)user group mweil Linux - Networking 0 07-23-2004 08:59 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 06:12 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration