LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 06-13-2017, 11:44 AM   #1
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Rep: Reputation: Disabled
Using setgid to set group of new files


I was expecting to see file "test" to have group "www-data". I see it doesn't have group write permission as well and think that is related.
How is this performed?

Code:
michael@pi2:~ $ mkdir /home/michael/www
michael@pi2:~ $ sudo chgrp www-data /home/michael/www
michael@pi2:~ $ chmod g+s /home/michael/www
michael@pi2:~ $ chmod g+w /home/michael/www
michael@pi2:~ $ touch /home/michael/www/test
michael@pi2:~ $ ls -l /home/michael/www/
total 0
-rw-r--r-- 1 michael michael 0 Jun 13 16:38 test
 
Old 06-13-2017, 12:00 PM   #2
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,107
Blog Entries: 3

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
It's done in part by using a different group than www-data. What problem are you trying to solve? It's almost certain that another group should be used instead. The www-data group is there to provide an unpriviledged group for the web server.

Back to your original question, the sharing of directories among groups is convoluted enough that it warranted a blog post: Sharing Write Access to a Web Directory for Multiple Users.

What are the actual permissions for that directory?

Code:
ls -lhd /home/michael/www
 
Old 06-13-2017, 12:03 PM   #3
pan64
LQ Guru
 
Registered: Mar 2012
Location: Hungary
Distribution: debian/ubuntu/suse ...
Posts: 12,984

Rep: Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094Reputation: 4094
I would suggest you to check the permissions:
Code:
mkdir /home/michael/www
ls -ld /home/michael/www
sudo chgrp www-data /home/michael/www
ls -ld /home/michael/www
...
 
Old 06-13-2017, 12:24 PM   #4
AwesomeMachine
LQ Guru
 
Registered: Jan 2005
Location: USA and Italy
Distribution: Debian testing/sid; OpenSuSE; Fedora; Mint
Posts: 5,513

Rep: Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004Reputation: 1004
Unless you use the "-R" option for chown, the files you create within www will not inherit the permissions of www.
 
Old 06-13-2017, 12:47 PM   #5
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Thanks Turbocapitalist and pan64, I had been using ls -l instead of ls -ld. Never knew there was a difference. So, I guess they are group www-data, but shown as group michael?
 
Old 06-13-2017, 12:48 PM   #6
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by AwesomeMachine View Post
Unless you use the "-R" option for chown, the files you create within www will not inherit the permissions of www.
For existing files in that directory, and not files created in the future?
 
Old 06-13-2017, 12:58 PM   #7
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,107
Blog Entries: 3

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
Quote:
Originally Posted by NotionCommotion View Post
Thanks Turbocapitalist and pan64, I had been using ls -l instead of ls -ld. Never knew there was a difference. So, I guess they are group www-data, but shown as group michael?
Perhaps, but please quote the exact output so we can see what is the case. Unless you are using ACLs, only one group is allowed and the one that is showing is the one that will take effect.
 
Old 06-13-2017, 01:23 PM   #8
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Perhaps, but please quote the exact output so we can see what is the case. Unless you are using ACLs, only one group is allowed and the one that is showing is the one that will take effect.
Thanks
Code:
michael@pi2:~ $ ls -l
total 8
drwxr-xr-x 2 michael michael 4096 Jun 13 15:55 test
drwxrwxr-x 2 michael www-data  4096 Jun 13 17:45 www
michael@pi2:~ $ ls -ld
drwxr-xr-x 5 michael michael 4096 Jun 13 18:17 .
michael@pi2:~ $ cd www
michael@pi2:~/www $ ls -l
total 0
-rw-r--r-- 1 michael michael 0 Jun 13 17:45 test
michael@pi2:~/www $ ls -ld
drwxrwxr-x 2 michael www-data 4096 Jun 13 17:45 .
michael@pi2:~/www $
 
Old 06-13-2017, 01:36 PM   #9
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,107
Blog Entries: 3

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
Ok. The group has been set. Now you need to set the set-group-ID bit:

Code:
chmod g=rwxs /home/michael/www/
Once that is set, new files will have the same group as the directory. However, that will bring up the question of choice of groups again and what your real goal is.
 
Old 06-14-2017, 12:36 AM   #10
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
Ok. The group has been set. Now you need to set the set-group-ID bit:

Code:
chmod g=rwxs /home/michael/www/
Once that is set, new files will have the same group as the directory. However, that will bring up the question of choice of groups again and what your real goal is.
I was pretty much doing the same thing with chmod g+s and chmod g+w. But it doesn't make files have the same group as the directory! Not only does new file "test" not of group "www-data", it also isn't writable by group. And where is that setid flag shown??? Please look at my very first code listing as well as the following.

Code:
michael@pi2:~ $ mkdir /home/michael/www
michael@pi2:~ $ sudo chgrp www-data /home/michael/www
michael@pi2:~ $ chmod g=rwxs /home/michael/www/
michael@pi2:~ $ ls -l
total 8
drwxr-xr-x 2 michael michael 4096 Jun 13 15:55 test
drwxrwxr-x 2 michael www-data  4096 Jun 14 05:38 www
michael@pi2:~ $ ls -ld
drwxr-xr-x 5 michael michael 4096 Jun 14 05:38 .
michael@pi2:~ $ cd www
michael@pi2:~/www $ touch test
michael@pi2:~/www $ ls -l
total 0
-rw-r--r-- 1 michael michael 0 Jun 14 05:38 test
michael@pi2:~/www $ ls -ld
drwxrwxr-x 2 michael www-data 4096 Jun 14 05:38 .
michael@pi2:~/www $
Real goal... Well, other than educating myself, I wanted the files to be mine but to give nginx the ability to read and execute them and sometimes even write to them.

Last edited by NotionCommotion; 06-14-2017 at 12:44 AM.
 
Old 06-14-2017, 02:39 AM   #11
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,107
Blog Entries: 3

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
Quote:
Originally Posted by NotionCommotion View Post
Real goal... Well, other than educating myself, I wanted the files to be mine but to give nginx the ability to read and execute them and sometimes even write to them.
Thanks. I'd limit the ability to write anything to just the bare minimum needed for your scripts to operate. Keep the principle of least privilege in mind.

About the set-group-ID bit, it should show up about like this:

Code:
drwxrwsr-x 2 michael www-data  4096 Jun 14 05:38 www
In your ouptput, it is not set despite using chmod correctly in two different ways. So, which partition is that directory on and is nosuid one of the mount options? That would block using the set-group-ID bit.

Code:
mount

# or

mount | grep "^$(df -h /home/michael/www/ | awk 'NR >1 { print $1; exit; }')"
 
Old 06-14-2017, 06:05 AM   #12
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Well, at least it feels good that I was doing it right

Why don't I see /dev/root/ returned by mount? Is the following results expected?

Thanks!
Code:
michael@pi2:/dev $ df -h /home/michael/www/
Filesystem      Size  Used Avail Use% Mounted on
/dev/root        29G  1.8G   26G   7% /
michael@pi2:/dev $ mount | column -t
/dev/mmcblk0p2  on  /                           type  ext4      (rw,noatime,data=ordered)
devtmpfs        on  /dev                        type  devtmpfs  (rw,relatime,size=468152k,nr_inodes=117038,mode=755)
sysfs           on  /sys                        type  sysfs     (rw,nosuid,nodev,noexec,relatime)
proc            on  /proc                       type  proc      (rw,relatime)
tmpfs           on  /dev/shm                    type  tmpfs     (rw,nosuid,nodev)
devpts          on  /dev/pts                    type  devpts    (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs           on  /run                        type  tmpfs     (rw,nosuid,nodev,mode=755)
tmpfs           on  /run/lock                   type  tmpfs     (rw,nosuid,nodev,noexec,relatime,size=5120k)
tmpfs           on  /sys/fs/cgroup              type  tmpfs     (ro,nosuid,nodev,noexec,mode=755)
cgroup          on  /sys/fs/cgroup/systemd      type  cgroup    (rw,nosuid,nodev,noexec,relatime,xattr,release_agent=/lib/systemd/systemd-cgroups-agent,name=systemd)
cgroup          on  /sys/fs/cgroup/cpu,cpuacct  type  cgroup    (rw,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup          on  /sys/fs/cgroup/blkio        type  cgroup    (rw,nosuid,nodev,noexec,relatime,blkio)
cgroup          on  /sys/fs/cgroup/memory       type  cgroup    (rw,nosuid,nodev,noexec,relatime,memory)
cgroup          on  /sys/fs/cgroup/devices      type  cgroup    (rw,nosuid,nodev,noexec,relatime,devices)
cgroup          on  /sys/fs/cgroup/freezer      type  cgroup    (rw,nosuid,nodev,noexec,relatime,freezer)
cgroup          on  /sys/fs/cgroup/net_cls      type  cgroup    (rw,nosuid,nodev,noexec,relatime,net_cls)
systemd-1       on  /proc/sys/fs/binfmt_misc    type  autofs    (rw,relatime,fd=22,pgrp=1,timeout=300,minproto=5,maxproto=5,direct)
mqueue          on  /dev/mqueue                 type  mqueue    (rw,relatime)
debugfs         on  /sys/kernel/debug           type  debugfs   (rw,relatime)
configfs        on  /sys/kernel/config          type  configfs  (rw,relatime)
/dev/mmcblk0p1  on  /boot                       type  vfat      (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,errors=remount-ro)
michael@pi2:/dev $
 
Old 06-14-2017, 06:57 AM   #13
Turbocapitalist
Senior Member
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 4,107
Blog Entries: 3

Rep: Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979Reputation: 1979
Quote:
Originally Posted by NotionCommotion View Post
Why don't I see /dev/root/ returned by mount? Is the following results expected?
It's not what I would expect. Which distro, including version, do you have on the device?
 
Old 06-14-2017, 07:13 AM   #14
NotionCommotion
Member
 
Registered: Aug 2012
Posts: 761

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Turbocapitalist View Post
It's not what I would expect. Which distro, including version, do you have on the device?
Code:
michael@pi2:~ $ uname -a
Linux greenbean-c72eb01a 4.9.24-v7+ #993 SMP Wed Apr 26 18:01:23 BST 2017 armv7l GNU/Linux
michael@pi2:~ $ cat /etc/os-release
PRETTY_NAME="Raspbian GNU/Linux 8 (jessie)"
NAME="Raspbian GNU/Linux"
VERSION_ID="8"
VERSION="8 (jessie)"
ID=raspbian
ID_LIKE=debian
HOME_URL="http://www.raspbian.org/"
SUPPORT_URL="http://www.raspbian.org/RaspbianForums"
BUG_REPORT_URL="http://www.raspbian.org/RaspbianBugs"
michael@pi2:~ $
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] SETGID and Group READ/WRITE Permission Difference cheersvega Linux - Server 5 09-03-2012 04:57 AM
setfacl - how to set files to be saved as a particular user:group? neocontrol Linux - Security 2 03-12-2008 08:39 PM
Set group on files as they are created gatsby Linux - Newbie 1 02-25-2008 04:53 PM
Set group ownership on files as they are created gatsby Linux - Newbie 1 02-25-2008 03:31 PM
[alert] (22) Invalid argument : setgid : unable to set group id to Group 4294967295 Niraj Linux - Networking 1 12-13-2001 06:58 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 10:05 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration