Friday, August 5, 2016

Make New Files in Some Directory Be Accessible to a Group

My wife Nancy has finally let me move her over to Linux, so now we can easily share access a lot of files on our server, such as photos. But I want her not just to be able to read those files, but also to be able to write them. But, on the other hand, I don't want to make them world-writable. I just want them to be Nancy-writable.

Obviously, the solution is to create a group rghnlw of which we are both members, make that group own the files, and make them group-writable. That's easy enough for existing files. But what about new files? I'd like those also to be owned by the group and to be group-writable.

Making the new files be owned by the group is easy: All we need to do here is make the directory in which these files live setgid, and to make the group in question own that directory (and also any subdirectories). So let's say I've put our common files into /home/common/. Then the first step is:
# chgrp -R rghnlw
# chmod -R g+s /home/common

Now any new files created in /home/common/ will have group rghnlw.

Unfortunately, however, those files will not be group-writable---not if my umask, and Nancy's, are the typical 022. Changing that would be an option, but it would make all files that either of us create group-writable, which is not what I want.

The solution is to use access control lists. There are good discussions of how to use these for this purpose here and here, but I'll summarize as well.

First, we need to enable access control lists for whatever filesystem we are using. In this case, /home/ is mounted on its own partition, the line in /etc/fstab looking like:
/dev/hda3      /home      ext3    defaults        1 2

We need to change this to:

/dev/hda3       /home      ext3    defaults,acl        1 2
And then to activate the new setting, we need to remount:
# mount -o remount /home
# tune2fs -l /dev/hda3
The latter should now show acl as active.
Second, we need to establish the access controls.
# setfacl -d -m group:rghnlw:rw /home/common/
# setfacl -m
group:rghnlw:rw /home/common/
The former makes rghnlw the default group, with read and write permissions; the latter applies this to existing files.

No comments:

Post a Comment

Comments welcome, but they are expected to be civil.
Please don't bother spamming me. I'm only going to delete it.