file permissions, inherit for shared user directory

wolfdogg · 2011-12-05 07:27:58

im trying to create a public share where users can read each others files, but not write to them. thats no problem, but im also trying to create a public directory as well, where the users can create a folder inside another users directory.

for example
a new group is created called localnet(name is reflecting a workgroup tied to windows computers), two users (user1 and user2) are assigned part of this group, so that only the group 'localnet' can cross access each others shares inside the /public folder only.
a directory is created to reflect the new group, the two users dirs are added, and also a public dir is added

mkdir /usr/share/localnet
mkdir /usr/share/localnet/user1
mkdir /usr/share/localnet/user2
mkdir /usr/share/localnet/public

now to set the permissions, the users dir is chowned to themselves, and the public dir is chowned to root, all of which are attached to the localnet group
/usr/share/localnet/user1 user1:localnet drwxr-x---- (chmod 750)
/usr/share/localnet/user2 user2:localnet drwxr-x---- (chmod 750)
/usr/share/localnet/public root:localnet drwxrwx---(chmod 770)
all is fine, but when user1 creates a dir in public, say for example /public/pictures it now inherits a different set of permissions outside of the boundaries of this setup, it inherited (drwxr-wr-w user1:users ), this looks familiar, its the way linux adreses users files. So now user 2 tries to place pictures inside to say /public/pictures/roll1 but this user is denied permissions because user1 owns the dir. the permissions i need it to inherit is what i set in the parent, and that is (drwxrwx--- anyuser:localnet)

what im trying to figure out, is what command can i run to allow the sub directories of the /public to inherit its permissions i guess is what im trying to accomplish

EDIT: another though, should i be doing this inside the "home" directory instead? (/home/public) makes more sense to me, would it act any differently there?

Last edited by wolfdogg (2011-12-06 10:35:12)

paziul · 2011-12-05 14:19:19

I think you should rather look in the smb.conf file to condfigure the permissions for the samba shares ( I am guessing you are using samba ):

[public]
        writeable = yes
        wide links = no
        path = /data/public
        force group = users
        force create mode = 0666
        comment = Public Share
        public = yes
        create mode = 0666
        vaild users = guest

lookup create mode in the man for more info...

if you integrating samba with the AD, you can specify the windoz GROUP you mentioned:

[Inbox]
        comment = Inbox
        writeable = yes
        create mask = 775
        path = /the_path_2_share
        valid users = "@mydomain/groupname"
        directory mask = 777
        security mask = 0660
        force security mode = 0660
        force directory security mode = 0770
        directory security mask = 0770

Last edited by paziul (2011-12-05 14:20:47)

wolfdogg · 2011-12-06 07:53:15

i do use samba, but thats only when i need to access the windows machines, im trying to limit this. In this case, i have a couple users on the linux box, and trying to share within. I just used the name of the workgroup for the share folder so it would be recognized easily since /usr/share contains so many directories. So i just need help learning how linux inherits permissions, and how to circumvent the problem im runining into.

thanks for teh samba info though, it looks like i might be able to play around with that a bit some time. for now, i juse use nautilus and go to smb://machine to access the m$ pc's. I already have a public share setup on a windows7 file server where I have tailored specific users permissions so files dont get accidentally deleted by less experienced users across the network, which usually ends up in data loss since they dont get recycled.

so for now, i just need to figure how to set up a share for linux users, on the linux box alone, having teh directories created by users inherit custom permissions.

Last edited by wolfdogg (2011-12-06 07:54:50)

/dev/zero · 2011-12-06 08:00:37

For a linux-only setup, I would consider using the sticky bit:

chmod g+t /path/to/folder/

Any user in the group that owns the directory can create and view items in the directory, but users can't modify each others' files.

wolfdogg · 2011-12-06 10:00:37

ok, that looks like were heading in the right direction. now i just tried this

chmod -R g+t /usr/share/localnet/public

and i realize that before i can decide if that will be useful, im still running into the same problem it seems. when user1 creates a directory in the /public, and then user2 tries to make a directory inside the one user1 just created, its permission denied because the directory that user 1 made inherited standard user permissions, and not the permissions that i set on the /public directory in the first place.

is there anything i can set so this doesnt happen? what specifically is telling the file system to set the permission to user1:users instead of user1:newgroup, and would it be wise to alter this, or is there another route so that the group that the new folder inherits is of the 'newgroup' and not the 'users' group

what about something like SETGID?

Last edited by wolfdogg (2011-12-06 10:24:49)

wolfdogg · 2011-12-06 10:24:28

setgid worked,

chmod -R g+s /usr/share/localnet

now instead of the permissions on /usr/share/localnet/public/newdir reading

drwxr-wr-w user1:user

it reads

drwxr-sr-w user1:localnet

im not sure if the 's' comes from the sticky bit that i ran, or from the setgid, can you tell me? im guessing its the setgid(set group id) since its in the group section.

Now before this will work, it looks like theres just one more condition that needs to be met.
the directory /usr/share/localnet/public has permissions

drwxrws--- root:localnet

but when a user makes a directory inside that, it wont hold the

drwxrws--- user1:localnet

part, instead it ends up

drwxr-sr-x user1:localnet

, how can i make that inherit the former instead of the latter?

Last edited by wolfdogg (2011-12-06 10:33:14)

Mavirick · 2011-12-06 10:28:59

The s is from the sticky bit

wolfdogg · 2011-12-06 10:41:14

mavirick wrote:

The s is from the sticky bit

thats odd, i thought i didnt see the 's' appear until a bit later(pun intended) so i would have thought it was from the setgid since it falls in the group section. how would i view the bit for setgid? ls -l only shows what i outlined above. what tells me that the flag for setgid has been set? does one just have to make a directory to see it in action? please dont answer if that will dissuade an answer from the much more important question in my last post

/dev/zero · 2011-12-06 10:58:55

It's been a while since I last used sticky bits, so I got my suggested command a little wrong. What you want is something more like,

chmod -R g+w,o+t /usr/share/localnet

Note: this doesn't involve using setgid. Your permissions (via "ls -l") will look something like

drwxrwxr-t

(Eg, note that it should be flagged with a "t", not an "s".)

wolfdogg · 2011-12-06 11:37:36

i ran

chmod -R g+w,g-t,o+t /usr/share/localnet/public

the directory /usr/share/localnet/public/random_by_user1 now reads

drwxrwsr-t user1:localnet

(user2 was able to make a dir inside of this one)
although that worked, and user2 is now able to make a directory inside of a directory that user1 has made, its not inheriting like this. so even though the recursive set them correctly, the new ones are coming up liek this

drwxr-sr-x user1:localnet

(user2 was NOT able to make a dir inside of this one obviously)
without this elevated permission set.

so we have it right when i chmod the files, but how do i get them to inherit this natively? thats a sticky right? how to i make the 'rws' in group sticky, but no delete permission for a non owner? i think thats the question that shoudl have been stated int eh beginning of the post now that im figuring this out.

Edit: (i just realized something, my poor choice for an example might lead you to believe that the users personal directories are inside the /public, they are actually not, so in my examples such as the one above where i reference a new test directory like this " /usr/share/localnet/public/user1" let me rephrase that so as not to confuse " /usr/share/localnet/public/random_by_user1"
the user directories are actually outside of the public eg.. /usr/share/localnet/someuser, where the public shares are inside /usr/share/localnet/public. im sure i made that clear, but at this point, confusion might lead to chaos. lol.

also, i dont want everyone else to have permission, only owner and group, so no need to o+t correct? remember, its only public for the group, not for everyone.

Last edited by wolfdogg (2011-12-06 11:55:02)

djgera · 2011-12-06 11:54:45

There is no inherit perms in traditional posix perms. You need to considere using ACL, setup a "default ACL" on directory in this way.

The only thing that can be inherit from the parent directory is fsgid if directory has setgid set, but this is not applied recursively by default, you need to mount the fs with grpid|bsdgroups (if supported by fs, ie extfs and xfs).

wolfdogg · 2011-12-06 12:01:28

ok, ill try to figure out what your talking about, and i think i know i just want to do the research on it. But, i noticed something, if i understand you correctly, you say

The only thing that can be inherit from the parent directory is fsgid if directory has setgid set, but this is not applied recursively by default,

i think what you mean by this is the gid doesnt inherit, but in my setup, once i ran the setgid, each new directory created in this structure is defaulted to that group, rather than the 'users' group. so it appears it is applied recursively. If i misunderstood you, in lamens terms what im saying is no matter how many levels deep i create directories in the /public now they are all saying username:localnet instead of username:users for the group. so it appears that part is acting correctly.

ok, maybe i did misunderstand you. its not applied recursively by default, but i flagged it to do so like this

chmod g+s /usr/share/localnet/public

are we on the same page still? or am i off base?

Last edited by wolfdogg (2011-12-06 12:03:39)

wolfdogg · 2011-12-06 12:05:35

ok, i looked into ACL, i was hoping not to have to move away from standard chmod, but if i have to. i would like to see if we cant mastermind a solution first with chmod

djgera · 2011-12-06 12:20:00

Yes sorry I wrote bad. (btw: grpid is deprecated)

Anyway considere file acls if you want to inherit more advanced things.

Last edited by djgera (2011-12-06 12:23:50)

wolfdogg · 2011-12-06 12:30:52

ok no prob. thanks for the tip on acl, it looks like it was designed to make what im doing easy. but i thought maybe could dig into chmod a bit.

I gotta go to bed, so i will look back here tomorrow. I really appreciate all teh help each one of you! thanks alot!

so incase any of you want a real world example as how to use permissions like this. i know it sounds like i might be setting this up for clients, and i will in the place of business, but the first use i will get out of it is for my wife not to accidentally delete all our family pictures, lol. so we share all our family files together inside the public folder, and if i create the directory for the pictures, which its always me putting the pictures on the computer, then i dont want her to be able to accidentally delete inside a desktop environment, and also same goes with all the music. but on the other hand, i want her to be able to add more pictures to the directory i created. damn, maybe i should just take away delete privileges from her and call it eh? bwuahh hahahah. no, seriously, we are talking about exteremely important data here, family memories! so i want to ensure integrity of the data, and will use this group based structure for business as well if i can get it working.

good night

wolfdogg · 2011-12-08 10:11:14

so i cant do it with chmod? i didnt have time to look into it today, but i have been looking for any other comments if anyone has any. read the bold print, it about sums up what im trying to do. thanks in advance.

Pajaro · 2011-12-08 10:16:44

In multiuser environments ACL works best for me.

thisoldman · 2011-12-08 10:54:28

wolfdogg wrote:

so i cant do it with chmod? i didnt have time to look into it today, but i have been looking for any other comments if anyone has any. read the bold print, it about sums up what im trying to do. thanks in advance.

There was this recent thread that may give you more information or ideas: How to share data (etc pictures) between local users on same box

Arch Linux

#1 2011-12-05 07:27:58

file permissions, inherit for shared user directory

#2 2011-12-05 14:19:19

Re: file permissions, inherit for shared user directory

#3 2011-12-06 07:53:15

Re: file permissions, inherit for shared user directory

#4 2011-12-06 08:00:37

Re: file permissions, inherit for shared user directory

#5 2011-12-06 10:00:37

Re: file permissions, inherit for shared user directory

#6 2011-12-06 10:24:28

Re: file permissions, inherit for shared user directory

#7 2011-12-06 10:28:59

Re: file permissions, inherit for shared user directory

#8 2011-12-06 10:41:14

Re: file permissions, inherit for shared user directory

#9 2011-12-06 10:58:55

Re: file permissions, inherit for shared user directory

#10 2011-12-06 11:37:36

Re: file permissions, inherit for shared user directory

#11 2011-12-06 11:54:45

Re: file permissions, inherit for shared user directory

#12 2011-12-06 12:01:28

Re: file permissions, inherit for shared user directory

#13 2011-12-06 12:05:35

Re: file permissions, inherit for shared user directory

#14 2011-12-06 12:20:00

Re: file permissions, inherit for shared user directory

#15 2011-12-06 12:30:52

Re: file permissions, inherit for shared user directory

#16 2011-12-08 10:11:14

Re: file permissions, inherit for shared user directory

#17 2011-12-08 10:16:44

Re: file permissions, inherit for shared user directory

#18 2011-12-08 10:54:28

Re: file permissions, inherit for shared user directory

Board footer