• Welcome to Bashguru

    Linux is one of popular version of UNIX operating System. It is open source as its source code is freely available. It is free to use. Linux was designed considering UNIX compatibility. It's functionality list is quite similar to that of UNIX and become very popular over the last several years. Our Basic motive is to provide latest information about Linux Operating system.

  • Python Programming

    Python is a comparatively simple programming language, compared to c++. Although some of the benefits of c++ are abstracted away in python, they are replaced with an overall easier to learn language with many “intuitive” features. For this reason it is common and recommended by most professionals that people new to programming start with python.

  • Perl Programming

    Perl is an open-source, general-purpose interpreted programming language. Used often for CGI, Perl is also used for graphics programming, system administration, network programming, finance, bioinformatics, and other applications. The Perl languages borrow features from other programming languages including C, shell scripting (sh), AWK, and sed. They provide powerful text processing facilities without the arbitrary data-length limits of many contemporary UNIX command line tools, facilitating easy manipulation of text files.

  • Android

    Android is an operating system based on the Linux kernel, and designed primarily for touch screen mobile devices such as smart phones and tablet computers. Android is a Linux-based software system, and similar to Linux, is free and open source software. This means that other companies can use the Android operating developed by Google and use it in their mobile devices.Android gives you a world-class platform for creating apps and games for Android users everywhere, as well as an open marketplace for distributing to them instantly.

Sunday, March 28, 2010

Posted by venu k
4 comments | 11:26 AM

To understand this article you should to be familiar with Linux adva-
nced file permissions, otherwise go throw bellow link before following
this article.
Advanced File Permissions

My Obejective:
I have a folder which I want to share with "rw" permissions for a
selected group of users. Let's say the folder is /home/project and I
want to share it with the group development. What I want is not only
having users accessing files in /home/project with rw access, but also
to ensure that all files created in /home/project will have ownership
username:development and permissions -rw-rw-r--.

Sharing a directory among users in same group is one of the essential
tasks.To let a group of users work on a set of files without infringing
on security, you'll have to do this:

1.Create a common group for these users in /etc/group

# groupadd development
check group created or not
# tail -1 /etc/group
development:x:501:

2.Add user project administrator (padmin) and setup password

# useradd -g development -d /home/project -c "Project Admin" \
-m padmin
# tail -1 /etc/passwd
padmin:x:501:501:Project Admin:/home/project:/bin/bash
#passwd padmin

3.Create separate user accounts for the rest of users but specify the
same home directory.

# useradd -d /home/project/ -g development user1
# passwd user1
Add another user:
# useradd -d /home/project/ -g development user2
# passwd user2

Create as many user accounts as you want.

4.Make sure the home directory and all subdirectories are not owned by
any of the users. Use chown to surrender ownership to padmin.

# chown padmin:development /home/project/
# ls -ld /home/project/
drwxrwxr-x 18 padmin development 4096 Mar 28 16:18 /home/project/

5.Make the directories group-writable and set their SGID and Sticky
Bits with chmod 3775 (1 for sticky and 2 for SGID).

# chmod -R 3775 /home/project/
# ls -ld /home/project/
drwxrwsr-t 18 padmin development 4096 Mar 28 18:22 /home/project/

In this scenario, every user of the group has write permission on the
directory and can create files and directories, but can only delete
those he owns. SGID bit ensures that all files created in
/home/project will have ownership username:development and Sticky bit
ensures that only owner can delete files those he owns

Note that setting the SGID permission on a directory only affects the
groupID of new files and subdirectories created after the SGID bit is
set, and is not applied to existing entities. Setting the setgid bit
on existing subdirectories must be done manually.

Can You Inherit File Permissions?


When you create a file or directories under a directory the default
permission for them will be determined by your umask, files or
directories won't inherit parent directory permissions, only SGID bit
inherited by newly created directories under it. So even your shared
directory has group writable, you can't edit other users files.

Login as user1 and create a temp file.

# su – user1
$ touch temp ; ls -l temp
-rw-r--r-- 1 user1 development 0 Mar 28 18:54 temp

Now logins as user2 and try to edit temp file.

# su - user2
$ cat > temp
-bash: temp: Permission denied

There is no way to inherit permissions from a directory, it's contro-
lled by the process's umask. But there is a way to make file permissi-
ons group writable when it is created.Add umask 002 command to .bashrc
file if it exist, otherwise create it and add the command.

# su - padmin
$ ls -l .bashrc
-rwxrwsr-t 1 padmin development 124 Mar 28 13:05 .bashrc
$ cat >> .bashrc
umask 002
Ctrl+d

Now login as user1 and create a temp file.

# su - user1
$ touch temp ; ls -l temp
-rw-rw-r-- 1 user1 development 0 Mar 28 19:38 temp

File created with default group writable permissions.

Note: Inform already logged in users to logout and login again.

Have you thought about using ACLs? They will give you much finer
grained control over the permissions you can set on files and directo-
ries. ACLs will also allow you to set a default mask for any given
directory.


To know more about ACLs(Access Control Lists) Google it as Linux acls
or wait for my next article.

4 comments:

  1. This is exactly what I was looking for, thank you for taking the time to write it down.

    However, one thing I don't understand (and doesn't work for me): How can the umask of user padmin affect the permissions of user1? Again, I didn't get this to work. I had to change the umask of user1, which is obviously exactly what we're trying to prevent.

    Any enlightenment is appreciated.

    - Michael

    ReplyDelete
  2. @Michael
    What is the home directory of user1?
    /home/project

    padmins .bashrc file exist in /home/project directory
    so it effect on all users.

    I think u have created different home directory for user1.

    ReplyDelete
  3. This is perfect.
    Looking for days!

    Everybody who whants to share,edit files together whitin the same group but stil want some protection againts outside user.. This is it.

    ReplyDelete
  4. Just keep in mind if you are using sftp adding umask 002 to ~/.bashrc does not work.

    You need to set the umask in the sshd_config file

    Subsystem sftp /usr/lib/openssh/sftp-server -u 0002

    A per directory control is really needed.

    ReplyDelete