Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: How to set group permissions for users

  1. #1
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default How to set group permissions for users

    Hi,

    I have two users on my webserver. I need both of them to have access to add and remove files/directories from a certain directory but still allow apache to serve the web pages.

    The directory I need to share is:
    /srv/www/htdocs/website1

    I can get one user or the other to have the desired access but not both at the same time.

    I tried the following chown settings:
    user1:users
    user2:users
    wwwrun:www
    user1:root

    The first two allow one user or the other to gain access.

    Here is the user/group membership as shown in yast:
    user1 - www,dialout,video,users
    user2 - www,dialout,video,users

    I tried adding user1 to the root group but that didn't work either.

    Could someone please help me figure this out? Also, is it necessary for users to log in and out to gain new permissions like Windows accounts?

    Thanks a lot!
    rob

  2. #2
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: How to set group permissions for users

    This is not a problem that can be solved with traditional Unix permissions. Normally what one would do is make the top directory group owned by users, group writable and with the group s bit on. This ensures that the group ownership propagates to any directories created. (This interpretation of the s bit for directories is an invention from BSD Unix.) The problem is, it is not sufficient to ensure that the group write bit is turned on for files and directories underneath, as well as ensure that the world read bit is on so that Apache can serve the files. (Also the world x bit for directories.) Umask can only mask away permissions, not force them on.

    If the users are accessing the directories via Samba, you can get samba to force group and world permissions.

    If the users are accessing the directories via ftp, some ftp servers also allow group and world permissions to be forced.

    If the users are accessing the directories directly or via sftp, then you have to use POSIX ACLs to do this. The man pages to read are setfacl and getfacl.

    Also if you have other users on the system that you don't want to give access to these directories, then you should use a separate group for this, instead of users.

  3. #3
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default Re: How to set group permissions for users

    Is there any way you could post an example? I have been reading setacls and having a bit of trouble understanding. I am pretty much a beginner at UNIX but I try pretty hard to find my own answer thru research and experimentation before posting.

    We are accessing the file system primarily using WinSCP which is using sftp with fallback of scp. I'm not sure which protocol the app is deciding on.

    I would also like to make sure we have access via the command line. Generally we us PuTTY to connect to the command line.

    I have a basic/generic text mode installation of openSUSE 11.0.

    I will re-read the suggested man pages and try anything that makes sense.

    I did post one other question. Do linux users have to log in and out like windows users to gain their new permissions? From my experimentation, it seems as though this is dynamic but I would like to know for sure.

  4. #4
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default Re: How to set group permissions for users

    Here is what I came up with. Could you tell me if this is best practice and if it is secure?

    target folder: /srv/www/htdocs/website1

    Both users are a member of the USERS group. I set the directory ownership to root:users and permissions to 775.

    getfacl:
    # file: website1
    # owner: root
    # group: users
    user::rwx
    group::rwx
    other::r-x

    ls -l:
    drwxrwxr-x 2 root users 4096 2009-08-29 09:32 website1

    Apache still seems to be able to serve the pages and I can write, overwrite and delete files with both users within the website1 directory.

  5. #5
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default Re: How to set group permissions for users

    This led to another problem. If I log into the webserver as User1, navigate to the target directory, and create a new directory, I see that User1 is the owner with permissions of 755.

    Now if I log in as User2, this user cannot add, change or delete files/directories because the owner is User1 and group permissions are only r-x. User2 does not have write permissions to the directory.

    How can I get all nested directories that are created to still allow permission for both of these users to perform add, change, and delete operations?

    Continuing research...

  6. #6
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: How to set group permissions for users

    To be able to delete a directory, the user must be able to empty it first, so she must have write permission on it. Then the user must have write permission on the parent directory, to delete the directory.

    That's the problem with creation of directories. Without ACLs there is no way to force the group write bit on when the user creates it, so that other people can empty it. So you will have to set an ACL on the top directory that forces group ownership and group write and make it propagate downwards to subdirectories and files. You do this by setting the default ACL of the top directory. See man 5 acl under the section OBJECT CREATION AND DEFAULT ACLs.

    If a user has her group membership changed, the user has to logout and login again because the group memberships are read once at start of the session.

  7. #7
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default Re: How to set group permissions for users

    That man page has some good information. It expands on what you mentioned here. Unfortunately there are no examples.

    I have tried a number of different things such as changing the default ACL. I believe changing the default ACL is what needs to be done so when a user creates a directory, it has permissions that I specifically configure. Nothing that I have tried so far has worked.

    I'll try a few more things and post what I attempted. So far I'm getting nowhere.

  8. #8
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: How to set group permissions for users

    Make sure the filesystem in question is mounted with the user_xattr option, otherwise POSIX ACLs are not supported.

    From reading the man page of setfacl, it might be something like this (untested):

    setfacl -m d:g:users:rwx /srv/www/htdocs/website1

    which allows the group users to rwx. Then you can verify with:

    getfacl /srv/www/htdocs/website1

  9. #9
    Join Date
    Jun 2008
    Location
    Seattle, WA
    Posts
    28

    Default Re: How to set group permissions for users

    I have a default text mode installation of openSUSE. I'll have to check if the file system is mounted as you pointed out. Is there an easy way to check that?

    After I determine that, I'll try your suggested command line. That looks similar to command line examples shown in the SETFACL man page.

  10. #10
    Join Date
    Jun 2008
    Location
    UTC+10
    Posts
    9,683
    Blog Entries
    4

    Default Re: How to set group permissions for users

    Just run the command "mount". The output for a filesystem should look something like this:

    /dev/sda2 on / type ext3 (rw,noatime,acl,user_xattr)

    Actually it's the acl option that matters according to the man page, not sure if user_xattr is needed to support it, without looking further.

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •