LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Using setgid to set group of new files (https://www.linuxquestions.org/questions/linux-newbie-8/using-setgid-to-set-group-of-new-files-4175607857/)

NotionCommotion 06-13-2017 11:44 AM
Using setgid to set group of new files
 
I was expecting to see file "test" to have group "www-data". I see it doesn't have group write permission as well and think that is related.
How is this performed?

Code:
michael@pi2:~ $ mkdir /home/michael/www
michael@pi2:~ $ sudo chgrp www-data /home/michael/www
michael@pi2:~ $ chmod g+s /home/michael/www
michael@pi2:~ $ chmod g+w /home/michael/www
michael@pi2:~ $ touch /home/michael/www/test
michael@pi2:~ $ ls -l /home/michael/www/
total 0
-rw-r--r-- 1 michael michael 0 Jun 13 16:38 test

Turbocapitalist 06-13-2017 12:00 PM
It's done in part by using a different group than www-data. What problem are you trying to solve? It's almost certain that another group should be used instead. The www-data group is there to provide an unpriviledged group for the web server.

Back to your original question, the sharing of directories among groups is convoluted enough that it warranted a blog post: Sharing Write Access to a Web Directory for Multiple Users.

What are the actual permissions for that directory?

Code:
ls -lhd /home/michael/www

pan64 06-13-2017 12:03 PM
I would suggest you to check the permissions:
Code:
mkdir /home/michael/www
ls -ld /home/michael/www
sudo chgrp www-data /home/michael/www
ls -ld /home/michael/www
...

AwesomeMachine 06-13-2017 12:24 PM
Unless you use the "-R" option for chown, the files you create within www will not inherit the permissions of www.

NotionCommotion 06-13-2017 12:47 PM
Thanks Turbocapitalist and pan64, I had been using ls -l instead of ls -ld. Never knew there was a difference. So, I guess they are group www-data, but shown as group michael?

NotionCommotion 06-13-2017 12:48 PM
Quote:
Originally Posted by AwesomeMachine (Post 5722362)
Unless you use the "-R" option for chown, the files you create within www will not inherit the permissions of www.
For existing files in that directory, and not files created in the future?

Turbocapitalist 06-13-2017 12:58 PM
Quote:
Originally Posted by NotionCommotion (Post 5722375)
Thanks Turbocapitalist and pan64, I had been using ls -l instead of ls -ld. Never knew there was a difference. So, I guess they are group www-data, but shown as group michael?
Perhaps, but please quote the exact output so we can see what is the case. Unless you are using ACLs, only one group is allowed and the one that is showing is the one that will take effect.

NotionCommotion 06-13-2017 01:23 PM
Quote:
Originally Posted by Turbocapitalist (Post 5722382)
Perhaps, but please quote the exact output so we can see what is the case. Unless you are using ACLs, only one group is allowed and the one that is showing is the one that will take effect.
Thanks
Code:
michael@pi2:~ $ ls -l
total 8
drwxr-xr-x 2 michael michael 4096 Jun 13 15:55 test
drwxrwxr-x 2 michael www-data  4096 Jun 13 17:45 www
michael@pi2:~ $ ls -ld
drwxr-xr-x 5 michael michael 4096 Jun 13 18:17 .
michael@pi2:~ $ cd www
michael@pi2:~/www $ ls -l
total 0
-rw-r--r-- 1 michael michael 0 Jun 13 17:45 test
michael@pi2:~/www $ ls -ld
drwxrwxr-x 2 michael www-data 4096 Jun 13 17:45 .
michael@pi2:~/www $

Turbocapitalist 06-13-2017 01:36 PM
Ok. The group has been set. Now you need to set the set-group-ID bit:

Code:
chmod g=rwxs /home/michael/www/
Once that is set, new files will have the same group as the directory. However, that will bring up the question of choice of groups again and what your real goal is.

NotionCommotion 06-14-2017 12:36 AM
Quote:
Originally Posted by Turbocapitalist (Post 5722393)
Ok. The group has been set. Now you need to set the set-group-ID bit:

Code:
chmod g=rwxs /home/michael/www/
Once that is set, new files will have the same group as the directory. However, that will bring up the question of choice of groups again and what your real goal is.
I was pretty much doing the same thing with chmod g+s and chmod g+w. But it doesn't make files have the same group as the directory! Not only does new file "test" not of group "www-data", it also isn't writable by group. And where is that setid flag shown??? Please look at my very first code listing as well as the following.

Code:
michael@pi2:~ $ mkdir /home/michael/www
michael@pi2:~ $ sudo chgrp www-data /home/michael/www
michael@pi2:~ $ chmod g=rwxs /home/michael/www/
michael@pi2:~ $ ls -l
total 8
drwxr-xr-x 2 michael michael 4096 Jun 13 15:55 test
drwxrwxr-x 2 michael www-data  4096 Jun 14 05:38 www
michael@pi2:~ $ ls -ld
drwxr-xr-x 5 michael michael 4096 Jun 14 05:38 .
michael@pi2:~ $ cd www
michael@pi2:~/www $ touch test
michael@pi2:~/www $ ls -l
total 0
-rw-r--r-- 1 michael michael 0 Jun 14 05:38 test
michael@pi2:~/www $ ls -ld
drwxrwxr-x 2 michael www-data 4096 Jun 14 05:38 .
michael@pi2:~/www $
Real goal... Well, other than educating myself, I wanted the files to be mine but to give nginx the ability to read and execute them and sometimes even write to them.

Turbocapitalist 06-14-2017 02:39 AM
Quote:
Originally Posted by NotionCommotion (Post 5722551)
Real goal... Well, other than educating myself, I wanted the files to be mine but to give nginx the ability to read and execute them and sometimes even write to them.
Thanks. I'd limit the ability to write anything to just the bare minimum needed for your scripts to operate. Keep the principle of least privilege in mind.

About the set-group-ID bit, it should show up about like this:

Code:
drwxrwsr-x 2 michael www-data  4096 Jun 14 05:38 www
In your ouptput, it is not set despite using chmod correctly in two different ways. So, which partition is that directory on and is nosuid one of the mount options? That would block using the set-group-ID bit.

Code:
mount

# or

mount | grep "^$(df -h /home/michael/www/ | awk 'NR >1 { print $1; exit; }')"

NotionCommotion 06-14-2017 06:05 AM
Well, at least it feels good that I was doing it right :)

Why don't I see /dev/root/ returned by mount? Is the following results expected?

Thanks!
Code:
michael@pi2:/dev $ df -h /home/michael/www/
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        29G  1.8G  26G  7% /
michael@pi2:/dev $ mount | column -t
/dev/mmcblk0p2  on  /                          type  ext4      (rw,noatime,data=ordered)
devtmpfs        on  /dev                        type  devtmpfs  (rw,relatime,size=468152k,nr_inodes=117038,mode=755)
sysfs          on  /sys                        type  sysfs    (rw,nosuid,nodev,noexec,relatime)
proc            on  /proc                      type  proc      (rw,relatime)
tmpfs          on  /dev/shm                    type  tmpfs    (rw,nosuid,nodev)
devpts          on  /dev/pts                    type  devpts    (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs          on  /run                        type  tmpfs    (rw,nosuid,nodev,mode=755)
tmpfs          on  /run/lock                  type  tmpfs    (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs          on  /sys/fs/cgroup              type  tmpfs    (ro,nosuid,nodev,noexec,mode=755)
cgroup          on  /sys/fs/cgroup/systemd      type  cgroup    (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup          on  /sys/fs/cgroup/cpu,cpuacct  type  cgroup    (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup          on  /sys/fs/cgroup/blkio        type  cgroup    (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup          on  /sys/fs/cgroup/memory      type  cgroup    (rw,nosuid,nodev,noexec,relatime,memory)
cgroup          on  /sys/fs/cgroup/devices      type  cgroup    (rw,nosuid,nodev,noexec,relatime,devices)
cgroup          on  /sys/fs/cgroup/freezer      type  cgroup    (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup          on  /sys/fs/cgroup/net_cls      type  cgroup    (rw,nosuid,nodev,noexec,relatime,net_cls)
systemd-1      on  /proc/sys/fs/binfmt_misc    type  autofs    (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue          on  /dev/mqueue                type  mqueue    (rw,relatime)
debugfs        on  /sys/kernel/debug          type  debugfs  (rw,relatime)
configfs        on  /sys/kernel/config          type  configfs  (rw,relatime)
/dev/mmcblk0p1  on  /boot                      type  vfat      (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
michael@pi2:/dev $

Turbocapitalist 06-14-2017 06:57 AM
Quote:
Originally Posted by NotionCommotion (Post 5722602)
Why don't I see /dev/root/ returned by mount? Is the following results expected?
It's not what I would expect. Which distro, including version, do you have on the device?

NotionCommotion 06-14-2017 07:13 AM
Quote:
Originally Posted by Turbocapitalist (Post 5722613)
It's not what I would expect. Which distro, including version, do you have on the device?
Code:
michael@pi2:~ $ uname -a
Linux greenbean-c72eb01a 4.9.24-v7+ #993 SMP Wed Apr 26 18:01:23 BST 2017 armv7l GNU/Linux
michael@pi2:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"
NAME="Raspbian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
michael@pi2:~ $


All times are GMT -5. The time now is 04:22 PM.