Folder Premissions

[jebise]

Having some trouble with new folders that are created. I have 3 groups (users, advanced and admin). The admin group has RW access to everything as it should, advanced group has RW access to certain folders (media folders) and the user group only has read access to everything (seems like ALT-F default?).

The problem i'm having is there are 2 accounts that are part of the advanced group but when ever any of the advanced users creates a new directory in the media folder the permissions are incorrect, owner is the the account that created the directory but the group is set to users and so i have to manually go in and change the group from users to advanced so that all other members of the advanced group can make changes.

Is there any way that I can give the users group RW access to all new sub folders that are created that way i can delete the advanced group, or have it set that any sub folders/files that are created under the media folder have the group set to advanced by default?

[Joao Cardoso]

On Saturday, April 7, 2012 6:56:00 AM UTC+1, jebise wrote:

Having some trouble with new folders that are created. I have 3 groups (users, advanced and admin). The admin group has RW access to everything as it should, advanced group has RW access to certain folders (media folders) and the user group only has read access to everything (seems like ALT-F default?).

The problem i'm having is there are 2 accounts that are part of the advanced group but when ever any of the advanced users creates a new directory in the media folder the permissions are incorrect, owner is the the account that created the directory but the group is set to users

"users" is the *main* group of all users, that's why. As the "Folder Owner and Groupand Access Permissions" Help page says:

A user belongs to a main group and, optionally, to one or more secondary groups.

Currently, when using Alt-F "Users and Groups" web page, an user can't be removed from its "main" group and put in another "main" group, and perhaps that is what you want?

And how does that users create the folders? Using samba? ftp? the command line? Each one has different ways to set new directories permissions.

When using samba, you might want to set the "Inherit Perms" checkbox on the share (when using the Samba setup web page), after setting the desired permissions on the parent folder. As the smb.conf man page says:

       inherit permissions (S)

           The permissions on new files and directories are normally governed by create mask,

           directory mask, force create mode and force directory mode but the boolean inherit

           permissions parameter overrides this.

           New directories inherit the mode of the parent directory, including bits such as

           setgid.

           New files inherit their read/write bits from the parent directory. Their execute bits

           continue to be determined by map archive, map hidden and map system as usual.

           Note that the setuid bit is never set via inheritance (the code explicitly prohibits

           this).

           This can be particularly useful on large systems with many users, perhaps several

           thousand, to allow a single [homes] share to be used flexibly by each user.

           Default: inherit permissions = no

When using ftp, or other protocol, things are different, you have to search for it.

When using the command line, you might want to check 'umask', or set the 'execute bit' on the parent directory. This is a complex matter, the man page for mkdir (the system programming call, not the shell command) says:

       mkdir() attempts to create a directory named pathname.

       The argument mode specifies the permissions to use.  It is modified by the process's umask

       in the usual way: the permissions of the created directory are (mode  &  ~umask  &  0777).

       Other  mode  bits of the created directory depend on the operating system.  For Linux, see

       below.

       The newly created directory will be owned by the effective user ID of the process.  If the

       directory  containing  the  file  has  the  set-group-ID bit set, or if the file system is

       mounted with BSD group semantics (mount -o bsdgroups or, synonymously mount -o grpid), the

       new directory will inherit the group ownership from its parent; otherwise it will be owned

       by the effective group ID of the process.

       If the parent directory has the set-group-ID bit set then so will the newly created direc-

       tory.

By default, Alt-F users home directories are created with 'rwx--s--x' permissions.

 

and so i have to manually go in and change the group from users to advanced so that all other members of the advanced group can make changes.

Is there any way that I can give the users group RW access to all new sub folders that are created that way i can delete the advanced group, or have it set that any sub folders/files that are created under the media folder have the group set to advanced by default?

Please state first how such folders are created (rpotocol) and where (sub-folders of users home folder? sub-folder of Public? what are the parent folder permissions?)

[jebise]

All directories are created using samba.  I checked inherit permissions in the samba settings and at first seemed like it made no difference. The owner is the user that created the folder and the group is still "users". But at least the folder permissions are now inherited, feel dumb for not seeing that option.  

Yes i would like to remove these users from the "users" and put them in the "advanced" group because this some what defeats the security of the folder, because now any user that is in the "users" group can modify the folder and its content unless the group of the folder is changed from user to  advanced manually from the web interface.

[Joao Cardoso]

On Friday, April 13, 2012 5:03:49 AM UTC+1, jebise wrote:

All directories are created using samba.  I checked inherit permissions in the samba settings and at first seemed like it made no difference. The owner is the user that created the folder and the group is still "users". But at least the folder permissions are now inherited, feel dumb for not seeing that option.  

Yes i would like to remove these users from the "users" and put them in the "advanced" group because this some what defeats the security of the folder, because now any user that is in the "users" group can modify the folder and its content unless the group of the folder is changed from user to  advanced manually from the web interface.

 

From a careful reading of my (edited) post:

samba:

   New directories inherit the mode of the parent directory, including bits such as setgid.

mkdir:

   If the newly created directory has the set-group-ID bit set, the

   new directory will inherit the group ownership from its parent;

So, I have created a directory named "foo" and changed its group to "xpto". Then I set its gid using at the command line

   chmod +s foo

Then, using samba, I created a sub-directory of "foo" named "New Folder", and guess what, its group is "xpto":

# pwd

/Public/RW

# ls -l

 ...

 drwsrwsrwx    3 root     xpto          4096 Apr 13 16:02 foo

# ls -l foo

 drwxrwsrwx    2 jcard    xpto          4096 Apr 13 16:02 New Folder

Notice that the "foo" directory has a "s" bit in its permission bits (drwsrwsrwx), that is the key.

You still need to change the parent folder group and to issue the first "chmod +s" command, but afterward all sub-directories will be owned by group "xpto"

Is this what you want? 

It is nearly impossible to create an interface that will satisfy all needs, as each case is different. When I wrote the "Folder Ownership and Access permissions" page, I pondered if allowing a "setgid" checkbox  would be usefull, but I found that it would further complicate an already complex subject. And I have not even think in providing ACL (access control list), which enables a much more fine-grained permissions control.