How to make new file permission inherit from the parent directory?

86

46

I have a directory called data. Then I am running a script under the user id 'robot'. robot writes to the data directory and update files inside. The idea is data is open for both me and robot to update.

So I setup the permission and owner group like this

drwxrwxr-x  2 me robot-grp 4096 Jun 11 20:50 data

where both me and robot belongs to the 'robot-grp'. I change the permission and the owner group recursively like the parent directory.

I regularly upload new files into the data directory using rsync. Unfortunately, new files uploaded does not inherit the parent directory's permission as I hope. Instead it looks like this

-rw-r--r-- 1 me users       6 Jun 11 20:50 new-file.txt

When robot tries to update new-file.txt, it fails due to lack of file permission.

I'm not sure if setting umask helps. In anycase the new files does not really follow it.

$ umask -S
u=rwx,g=rx,o=rx

I'm often confounded by Unix file permission. Do I even have a right plan? I'm using Debian lenny.

Wai Yip Tung

Posted 2010-06-12T04:06:50.127

Reputation: 961

Answers

53

You do not want to change your system's default umask, that is a security risk. The sticky bit option will work to some extent, but using ACL's is the best way to go. This is easier than you think. The problem with basic ACL's is that they are not recursive by default. If you set an ACL on a directory, only the files inside that directory inherit the ACL. If you create a subdirectory, it does not get the parent ACL unless the ACL is set to recurse.

First, make sure ACLs are enabled for the volume the directory is on. If you have tune2fs, you can perform the following:

# tune2fs -l /dev/sda1 | grep acl
Default mount options:    user_xattr acl

If you don't have tune2fs, then examine fstabs:

# cat /etc/fstab 
/dev/system/root        /                       ext3    defaults        1 1
/dev/system/home        /home                   ext3    defaults        1 2
/dev/storage/data       /data                   ext3    defaults        1 2
LABEL=/boot             /boot                   ext3    defaults        1 2

The 4th column that says "defaults" means on my system (CentOS 5.5), ACL's are on. When in doubt, leave it as defaults. If you try to set the ACL and it errors out, go back and add the acl option to /etc/fstab right after defaults: defaults,acl.

From what I understand, you want everyone in the users group to have write access to the data directory. That's accomplished by the following:

setfacl -Rm g:users:rwX,d:g:users:rwX data/

churnd

Posted 2010-06-12T04:06:50.127

Reputation: 4 228

So, you would just append setfacl -Rm g:users:rwX,d:g:users:rwX data/ at the end of /etc/fstab? – 425nesp – 2014-08-03T21:07:56.513

@piña no. the only change you make to /etc/fstab is to change defaults to defaults,acl. setfacl is a command you should run from the terminal. data/ should be replaced by the path to the directory you want to change. – Segfault – 2014-08-25T16:07:32.343

I used this command but it didn't fix my problem, how can i undo this command please? – Itai Ganot – 2013-08-15T09:37:56.750

Did the trick on ubuntu with sudo setfacl -Rm g:users:rwX,d:g:users:rwX /var/www/logs_or_something. Had problem with PHPUnit tests. After creating log files from running tests apache user www-data couldn't write/read them. – s3m3n – 2013-08-26T10:12:47.770

2

@Itai Ganot - according to the setfacl man page, -b or --remove-all removes the extended ACLs.

– jww – 2014-04-03T00:09:53.710

32

Marking a directory setgid (g+s) will make new files inherit the group ownership of the directory, but the -g option of rsync will attempt to override this.

Ignacio Vazquez-Abrams

Posted 2010-06-12T04:06:50.127

Reputation: 100 516

1@dannysauer "if the creating user is the owner but not a member of the group ... the setgid bit won't do anything" - thank you. Makes sense now - but with no feedback from rsync, was wondering why it wasn't working. – user12345 – 2019-02-05T23:48:41.700

12The setgid bit only makes created files inherit the group /if/ the person creating the new file is a member of that group; if the creating user is the owner but not a member of the group, or the directory is world-writable, the setgid bit won't do anything. And the umask for all file-creating users still needs to be set to allow appropriate group access. – dannysauer – 2013-09-12T18:18:58.917

4

Other answers apply in a general case, but as you mention that rsync is a source of the problem, you may just need to tune its invocation.

For a start, the popular -a flag makes rsync copy permissions; use -r istead of -a or add -no-p (for no permission sync) and -no-g (for no group sync). Also rsync supports --chmod flag to alter permissions on newly created files.

mbq

Posted 2010-06-12T04:06:50.127

Reputation: 727

3

Your umask is wrong for the permissions you want. You want a umask of 002. You currently have a umask of 022. Also, the comment about making the directory setgid is correct, but I'm not sure if the file group ownership is something you want to change or not.

Unix file permissions are actually a very simple model. I find ACLs completely confusing myself. :-)

Omnifarious

Posted 2010-06-12T04:06:50.127

Reputation: 538

4"Unix file permissions are actually a very simple model. I find ACLs completely confusing myself." - I kind of feel the opposite (but +1 anyways). ACLs (and Allow/Deny ACEs) are simple, and Unix permissions make no sense. But that's coming from a guy who is suffering a Postfix/Dovecot/Clam/SpamAssassin install. – jww – 2014-04-02T23:55:35.267

Asked: 2010-06-12T04:06:50.127

Viewed: 144 469 times

Active: 2015-09-03T15:36:56.010