Linux shared writable directory recursively

Question

How can I make a directory recursively read/writable to a group of users?

PROBLEM:

This is a directory used by apache so access rights should be fairly strict. The only way I could make it adequately work, was to mount the directory as an nfs share which forces the uid and gid to be set to a specific group and uid. But this seems like a hack, and allows anybody to modify the contents, although apache then has fairly strict access rights on the "real" directory.

WHAT I HAVE TRIED:

I have tried the setgid bit, which fails when copying directories via scp. Even after trying to set umask in 6 different places. And I've installed and mounted the partitions to use acl, which had the same problem with the group rights when copying with scp/sftp.

This is really frustrating as it seems like such a simple and profound problem for which I haven't found a satisfactory solution. Hope i'm missing something obvious here. Using mainly Debian squeeze.

kupson · Answer 1 · 2012-02-28T14:21:50.460

1

Solution with chmod g+s and forcing umasks works quite well. Did you force sftp subsystem umask in sshd_config file?

Subsystem sftp internal-sftp -u 0002

edited Feb 28 '12 at 14:21

answered Feb 28 '12 at 13:10

kupson

3,388
18
18

Yes I've re-tried that and similar approaches (with sftp wrappers etc.), but the copied directories still don't have the s bit set, nor can I force them to be group writable. Maybe this is an debian issue? – P Androidson Feb 28 '12 at 22:08
It works on debian here. Do you use XFS filesystem? Sysctl variable /proc/sys/fs/xfs/irix_sgid_inherit (!=0) could affect inheritance of sgid bit on directories. – kupson Feb 29 '12 at 01:15
tried it on ext3 and ext4 – P Androidson Feb 29 '12 at 14:18

score 0 · Answer 2 · answered Feb 28 '12 at 15:56

0

If you need some flexibility for sftp you may want to try mysecureshell. It has permission options such as:

DirFakeUser #Hide real file/directory owner (just change displayed permissions)

DirFakeGroup #Hide real file/directory group (just change displayed permissions)

DirFakeMode #Hide real file/directory rights (just change displayed permissions)

ForceGroup

answered Feb 28 '12 at 15:56

ghm1014

944
1
5
14

I've used mysecureshell on an sftp server once. Might give it a try for something like this. Too bad it isn't included in the debian repositories, but then again it seems a little bit like a "hacky" approach. – P Androidson Feb 28 '12 at 22:43

Linux shared writable directory recursively

2 Answers2