More Linux permissions questions

I've read countless articles on the topic and searched through every question and answer I could find without any luck. I'm slowly going mad so I'm turning to you guys since I know the answer to my question is most likely simple.

On my web server, I have two users and two groups. The users need to read and write to the same area. Not a single folder, but a complex network of folders.

>> groups user_1
      popuser psaserv psacln
>> groups user_2
      psacln popuser psaserv

These aren't real users so they don't have .bashrc files. When each of the users creates a directory, the permissions look exactly how I'd expect:

drwxr-xr-x 2 user_1 popuser 4096 Apr 30 20:47 folder_1
drwxr-xr-x 2 user_2 psacln  4096 Apr 30 20:49 folder_2

But once one of the two users creates the folder, the other is unable to write any files to it.

If I chmod 777, then of course they can both write.

cat /etc/group

popuser:x:31:user_1,psaserv,user_2
psacln:x:505:user_2,user_1,psaserv

Also unusual is that when a file is written into the group, the permissions seem very restrictive:

-rw-r--r-- 1 user_2 psacln 0 Apr 30 21:15 some_file.ext

Although maybe that's expected.

Anyway, to sum up and clarify my two part question:

1) How can I make both users access files and folders from each other, given their group differences?
2) How can I set the default permissions on new files so they inherit the folder permissions?

(2) I've tried adding umask 022 into my ~/.bashrc file for my root user, but it didn't do anything. I'm unsure where to put that for these "users" who don't have home directories.

Sorry, I know questions like this can feel redundant for you Linux user experts. Searching is difficult when I don't even know what I'm looking for.

Thanks so much, as always.

[I'm on centOS]

Ryan Martin

Posted 2012-05-01T04:42:52.933

Reputation: 121

1Look at setting the SGID bit on a directory, which'll force all new subdirs created in it to take on the same GID as the container. – None – 2012-05-01T04:47:58.543

Thanks for the suggestion, Marc. I just spent about an hour trying to figure this out, but I still feel so lost. On my root most directory of the structure that both users/groups need to write to, I did this: chmod -R g+rxws,u+rxws,o+rxs root_dir And that gave me these permissions on everything inside: drwxrwsrwx. Immediately after doing that, everything works, until one of the users creates a new directory. Then, the new directories have these permissions: drwx--S---, which is no good. The other group can't write into that directory anymore. What am I doing wrong? – Ryan Martin – 2012-05-01T17:44:26.683

Answers

1) How can I make both users access files and folders from each other, given their group differences?

One way is to give the directories a group that the users have in common.

  chgrp psaserv folder1 folder2
  chmod g+w  folder1 folder2

2) How can I set the default permissions on new files so they inherit the folder permissions?

Use the "set group ID" bit.

  chmod g+s folder1 folder2

You can't inherit rwx permissions, set the umask.

I've tried adding umask 022 into my ~/.bashrc file for my root user, but it didn't do anything. I'm unsure where to put that for these "users" who don't have home directories.

You have arranged that some process is using those user-ids. You should arrange for that process to set it's umask to 022. How you do this depends on what process you have arranged to do this. Perhaps you use sudo, perhaps it is a web-server, perhaps it is something else. Unless you explain, it isn't really possible to provide detailed specific advice.

RedGrittyBrick

Posted 2012-05-01T04:42:52.933

Reputation: 70 632

Thanks for the reply. Much appreciated. My initial thought was to execute your first solution after each user created a directory or file, but for a reason I don't understand yet, chmod-ing and chown-ing doesn't stick when executed by those users. As for your second solution, I think this is what I need to figure out still. I didn't set up my server, or either of these users. One is a mail server and one is my general http server, so I'm unsure exactly how they work right now. It's driving me crazy though. – Ryan Martin – 2012-05-01T17:57:59.913

If you want new files created by your users to by default be writable by group members, you need to modify the umask to something other than 022. If you are OK with the security implications, set the umask to 002 (for examples on where to set umask, see https://stackoverflow.com/questions/10220531/how-to-set-system-wide-umask).

Umask explained

The default file permissions on newly created files and directories are a standard permission (rw-rw-rw for files, rwxrwxrwx for directories) subtracting the current umask setting. A umask setting of 000 would keep the standard permissions, whereas a setting of 777 would remove all permissions.

The three numbers in the umask represent user, group and anyone permissions respectively. The number represents three binary digits whether to remove a specific permission or not.

d - rwx
-------
0 - 000 (rwx)
1 - 001 (rw-)
2 - 010 (r-x)
3 - 011 (r--)
4 - 100 (-wx)
5 - 101 (-w-)
6 - 110 (--x)
7 - 111 (---)

To calculate which permissions a new file will have given a certain umask, start with the default permission and subtract the umask.

orig    rwx rwx rwx (777, default directory permission)
umask   000 010 010 (022)
result  rwx r-x r-x (755)

orig   rw- rw- rw- (666, default file permission)
umask  000 010 010 (022)
result rw- r-- r-- (644)

orig   rwx rwx rwx (777, default directory permission)
umask  000 000 010 (002)
result rwx rwx r-x (775)

orig   rw- rw- rw- (666, default file permission)
umask  000 000 010 (002)
result rw- rw- r-- (664)

erikxiv

Posted 2012-05-01T04:42:52.933

Reputation: 1 804

Thanks for your reply. Like I mentioned up top, I don't know how to modify the umask for these users since they don't have .bash files I can customize. I've been looking for alternative ways to set it up, but I haven't found the proper solution. – Ryan Martin – 2012-05-01T17:59:15.137

How are the processes that read/write files with these users started? Could that invokation be prepended with an umask statement? – erikxiv – 2012-05-01T19:06:42.963

I guess that's the part that i'm struggling with. I didn't create these users, they were created when my server was created. One user serves the http docs and the other is the mail server that processes incoming and outgoing mail. So i'm not entirely sure what files get executed when each "user" processes one of those cases. I've tried setting the umask to 002 everywhere I could possibly find, but nothing seems to work. New folders and files are always created with bad permissions. – Ryan Martin – 2012-05-01T20:10:43.087

Well, I guess you could try to hunt down the scripts used to start the web and mail servers and add umask to these, or possibly try to set umask for root (who might be the user used to start the services on server startup)... – erikxiv – 2012-05-01T20:26:12.287