107

I have a bunch of long-running scripts and applications that are storing output results in a directory shared amongst a few users. I would like a way to make sure that every file and directory created under this shared directory automatically had u=rwxg=rwxo=r permissions.

I know that I could use umask 006 at the head off my various scripts, but I don't like that approach as many users write their own scripts and may forget to set the umask themselves.

I really just want the filesystem to set newly created files and directories with a certain permission if it is in a certain folder. Is this at all possible?

Update: I think it can be done with POSIX ACLs, using the Default ACL functionality, but it's all a bit over my head at the moment. If anybody can explain how to use Default ACLs it would probably answer this question nicely.

rmunn
  • 34,942
  • 10
  • 74
  • 105
David Dean
  • 7,435
  • 6
  • 33
  • 41
  • 1
    POSIX ACLs are nice, however a good 60% of the machines that you encounter won't have them turned on for certain file systems, depending on the distribution. Here is a very good introduction and example: http://www.suse.de/~agruen/acl/linux-acls/online/ – Tim Post Feb 24 '09 at 06:01
  • 1
    You mean the same document I linked :) I haven't had a change to read it yet but thanks for the head's up on the availability problem. – David Dean Feb 24 '09 at 06:12
  • 1
    The link in Tim Post's comment appears to be dead, but thanks to the Internet Archive, I could view it, and verify that http://www.vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html contains the exact same document. I'll edit the question to update the link. – rmunn May 30 '16 at 07:12
  • @rmunn The new link is also 404'd now. – Borea Deitz May 23 '21 at 18:52
  • Internet Archive (archive.org) version of the link [here](https://web.archive.org/web/20121204090150/http://www.vanemery.com/Linux/ACL/linux-acl.html) (2012-12-04) – Andrew Richards Jan 26 '23 at 11:18

5 Answers5

80

To get the right ownership, you can set the group setuid bit on the directory with 

chmod g+rwxs dirname

This will ensure that files created in the directory are owned by the group. You should then make sure everyone runs with umask 002 or 007 or something of that nature---this is why Debian and many other linux systems are configured with per-user groups by default.

I don't know of a way to force the permissions you want if the user's umask is too strong.

Norman Ramsey
  • 198,648
  • 61
  • 360
  • 533
  • 28
    This doesn't really provide a solution- he's asking about permissions not ownership, and the only way to do that is [with ACLs](http://stackoverflow.com/a/13906099/165673) – Yarin Dec 16 '12 at 22:36
  • 3
    "... make sure everyone runs with umask 002 or 007 or something of that nature" - that's a bit of a stretch.... How do you make Postfix, Dovecot, Clam and Spam Assassin all do this? – jww Apr 03 '14 at 00:18
  • 3
    What does the `+s` part do? Thanks. – tommy.carstensen Jan 06 '17 at 11:37
  • 1
    In this case it means set group ID. That is to say we use g+s to set the SGID bit. I say "in this case" because +s was combined with g for group. +s can also be used for setting the SUID bit (setuid). – Bastion Jun 20 '17 at 02:30
60

Here's how to do it using default ACLs, at least under Linux.

First, you might need to enable ACL support on your filesystem. If you are using ext4 then it is already enabled. Other filesystems (e.g., ext3) need to be mounted with the acl option. In that case, add the option to your /etc/fstab. For example, if the directory is located on your root filesystem:

/dev/mapper/qz-root   /    ext3    errors=remount-ro,acl   0  1

Then remount it:

mount -oremount /

Now, use the following command to set the default ACL:

setfacl -dm u::rwx,g::rwx,o::r /shared/directory

All new files in /shared/directory should now get the desired permissions. Of course, it also depends on the application creating the file. For example, most files won't be executable by anyone from the start (depending on the mode argument to the open(2) or creat(2) call), just like when using umask. Some utilities like cp, tar, and rsync will try to preserve the permissions of the source file(s) which will mask out your default ACL if the source file was not group-writable.

Hope this helps!

pelle
  • 1,153
  • 11
  • 8
  • It seems that this still requires proper `umask` for all users. =/ http://unix.stackexchange.com/questions/71743/using-setfacl-to-allow-group-members-to-write-to-any-file-in-a-directory – anatoly techtonik Oct 13 '14 at 18:27
  • 2
    @techtonik As I wrote, it depends on the application creating the file. E.g., if you use `cp` then it will try to copy the permissions of the source file. Not even `umask` helps when using `cp`. I've seen the same problem with `tar`. See [this question](http://serverfault.com/questions/183800/why-does-cp-not-respect-acls). – pelle Oct 15 '14 at 08:13
  • @techtonik I've added a sentence about this in my answer now. – pelle Oct 15 '14 at 08:19
  • 1
    yes it looks like the problem was in application forcefully setting the rights to 644 when my ACL and POSIX right setup was all for 664. It would be nice to clarify this fallback mechanism for people troubleshooting the issue. Many don't even know about `umask`. – anatoly techtonik Oct 15 '14 at 13:49
  • I mean I wasted some time trying to see if I don't have the mount flags set correctly (and on ext4 they can not be set, because it seems that they work automatically). There is no information how to check if `setfacl` `works correctly` - I assume that it should fail, but I am not sure, because the answer misses that point. – anatoly techtonik Oct 15 '14 at 13:52
  • @techtonik My answer already said that you didn't need the option on ext4. Anyway, I have edited it now to make that clearer. Regarding `umask`, the question explicitly asks how to do it _without_ `umask`. – pelle Oct 20 '14 at 12:25
  • That's much better now. For me the most confusing moment was that POSIX rights are processed and take precedence even if ACL is in effect, so the correct order of investigating permissions problem is `application -- POSIX -- ACL`. – anatoly techtonik Oct 20 '14 at 13:44
  • @techtonik Not really. POSIX permissions are mapped to certain ACL entries. So if you change e.g. group perms on a file with ACLs, you actually change the mask ACL entry. If you change user perms then you change the user entry, and so on. – pelle Oct 24 '14 at 07:14
  • Yes. Right, POSIX permissions serve as a mask for getting through to ACL. – anatoly techtonik Oct 24 '14 at 08:41
  • You are a superhero! you have no idea how damn difficult getting this set up has been - linux webservers are not easy to set up and this has fixed a long-time frustration. – Robert Seddon-Smith Mar 18 '17 at 07:20
  • for 600 use: `mkdir ~/.env && sed -i 's/defaults\t/defaults,acl\t/' /etc/fstab && mount -o,remount / && setfacl -dm u::rw,g::x,o::x .env` – alchemy Feb 13 '22 at 04:44
5

in your shell script (or .bashrc) you may use somthing like:

umask 022

umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files.

David Ferenczy Rogožan
  • 23,966
  • 9
  • 79
  • 68
user3270784
  • 460
  • 5
  • 5
  • 1
    This is not correct because umask limits the permissions it cannot add permissions – ACV Jan 11 '18 at 17:17
  • @ACV can you elaborate? This works for me, newly created files now allow group members to have rw permissions when I do `umask 002` in my .bashrc. – Arthur Dent Apr 24 '18 at 20:46
  • 3
    @ArthurDent `umask 002` limits access to others, leaving group unchanged. Remember, it's `ugo` - that is user group others. Also remember that umask basically means subtract from the defaults. For files: `666 - 002` would mean 664 which means group is not affected. – ACV Apr 25 '18 at 21:42
4

It's ugly, but you can use the setfacl command to achieve exactly what you want.

On a Solaris machine, I have a file that contains the acls for users and groups. Unfortunately, you have to list all of the users (at least I couldn't find a way to make this work otherwise):

user::rwx
user:user_a:rwx
user:user_b:rwx
...
group::rwx
mask:rwx
other:r-x
default:user:user_a:rwx
default:user:user_b:rwx
....
default:group::rwx
default:user::rwx
default:mask:rwx
default:other:r-x

Name the file acl.lst and fill in your real user names instead of user_X.

You can now set those acls on your directory by issuing the following command:

setfacl -f acl.lst /your/dir/here
innaM
  • 47,505
  • 4
  • 67
  • 87
  • can you leave off the user list if they are all a member of the same group, and just use the group permissions? – David Dean Feb 24 '09 at 11:22
  • I was asking myself the same question. It's been a while since I set this up. But every time I get a new user (in the same group as the others), I forget to update the list and I'll get complaints about the new user not being able to write/delete files. So the answer is: No, you can't. – innaM Feb 24 '09 at 12:43
0

I don't think this will do entirely what you want, but I just wanted to throw it out there since I hadn't seen it in the other answers.

I know you can create directories with permissions in a one-liner using the -m option:

mkdir -m755 mydir

and you can also use the install command:

sudo install -C -m 755 -o owner -g group /src_dir/src_file /dst_file
adam.hendry
  • 4,458
  • 5
  • 24
  • 51