How to set file permissions so that new files inherit same permissions?

37

29

I have a folder in which new subfolders and files will be created automatically, by a script.

I want to maintain the user and group permissions recursively for all new folders and files placed in the parent directory. I know this involves setting a sticky bit, but I can't seem to find a command that shows exactly what I need.

This is what I have done so far:

sudo mkdir -p /path/to/parent
sudo chmod -R 660 myself:somegroup /path/to/parent

Thereafter, I want the 660 permissions to be set recursively to any folders and files placed in /path/to/parent.

However, everything I have tried so far has failed. Can someone help please?

Actually the octal flag 660 is probably not even correct. The permissions I want are:

  1. Directories placed under /path/to/parent are eXecutable by users with permissions
  2. files are read/writeable by user myself and members of somegroup
  3. Files and folders in /path/to/parent is NOT world readable

I am running on Ubuntu 10.0.4 LTS.

Can someone help please?

oompahloompah

Posted 2011-03-30T09:02:50.023

Reputation: 557

Question was closed 2013-06-25T12:37:40.993

Answers

10

Grawity gives an excellent answer but I suspect the edited question may have changed things slightly.

I would suggest leaving the directory owned by the apache user/group. This will probably be either apache or httpd depending on your distribution.

e.g.

chown -R apache:apache /path/to/parent

You can then do something like https://serverfault.com/questions/164078/is-adding-users-to-the-group-www-data-safe-on-debian or even add yourself to the apache group to ensure you have group access to the directory. (Something like usermod -aG apache username)

I would not chmod -R the entire directory because you don't want html scripts or jpg's or random other things executable. You should change permissions as required. (though resetting it to 660 may not be the worst of ideas.)

Something you may like to try is:

chmod o+w file

The 'o' means 'other' & 'w' means 'write'. You can also have 'u' for 'user' & 'g' for 'group', as well as 'r' & 'x' which are hopefully self explanatory. You can remove permissions using '-' rather than '+'.

Pricey

Posted 2011-03-30T09:02:50.023

Reputation: 4 262

The simplest solution I think, is to add myself to the apache user group. Thanks for suggesting that. I don't know why I didn't think of that myself! – oompahloompah – 2011-03-31T06:28:51.547

2Is o+w a good choice here? Shouldn't the changes be limited to u and g? Otherwise, what's the point of trying to maintain security on the directory and sub-directories? – jww – 2014-04-03T07:08:49.540

64

The permission bits you are looking for are 0770 and 0660.

  • rw- permissions → 110 binary → 6 octal

The group ownership can be inherited by new files and folders created in your folder /path/to/parent by setting the setgid bit using chmod g+s like this:

chmod g+s /path/to/parent

Now, all new files and folder created under /path/to/parent will have the same group assigned as is set on /path/to/parent.

POSIX file permissions are not inherited; they are given by the creating process and combined with its current umask value.

However, you can use POSIX ACLs to achieve this. Set the default ACL on a directory:

setfacl -d -m u::rwX,g::rwX,o::- /path/to/parent

This will apply setfacl to the /path/to/parent directory, -modifying the -default ACLs – those that will be applied to newly created items. (Uppercase X means only directories will receive the +x bit.)

(If needed, you can add a u:someuser:rwX or g:someuser:rwX – preferably a group – to the ACLs.)

Note: On older systems using ext3/ext4, you used to need to mount the filesystem with the acl option, otherwise it would ignore all ACLs and disallow setting new ones.

mount -o remount,acl /

To set this permanently, use tune2fs -o acl <device> or edit /etc/fstab.

user1686

Posted 2011-03-30T09:02:50.023

Reputation: 283 655

This doesn't work with unzip? – datasn.io – 2019-03-06T02:07:15.060

5Thanks for taking the time to answer. Unfortunately, I am quite new to all of this, and what you wrote is indistinguishable from Greek to me (sorry to any Greek SO'ers!). I did not understand most of what you wrote. I have a web process and I want to give Apache the ability to create folders and files in a parent folder where only Apache (the owner) and I (the group) have the ability to rw files and change into directories. Everyone else is banned. that is all I am trying to do. Apache needs to be able to create sub folders and store files in them. – oompahloompah – 2011-03-30T10:35:28.150

2

I think you are over complicating the issue. If the top level directory is not accessible to others, then others won't be able to create files within the tree. Group write access is not required if only apache is doing the writing.

These steps should do what you want (replace directory in the commands with the directory you want to use):

  • add umask 027 to the apache defaults script /etc/default/apache. This will prevent other from accessing any files or directory apache creates.
  • execute chown www-data:www-data directory on the directory you want apache to be able to write to.
  • execute chmod 750 directory on the directory you want apache to be able to write to.

Allowing apache to write to a directory opens up the ability to inject all sort of malware to the content you are serving. Monitor the contents of this directory tree appropriately.

BillThor

Posted 2011-03-30T09:02:50.023

Reputation: 9 384

Asked: 2011-03-30T09:02:50.023

Viewed: 167 303 times

Active: 2014-12-09T05:48:04.337