On Fri, 26 Feb 2021 11:58:00 +0100, K Venken wrote:
> I have a number of students which need to cooperate in (different)
> groups. The obvious solution would be to setup a group for each as
> shared folder. Each shared group has a dedicated user with the same name
> (for convenience).
[...]
> Then the idea was to assign and protect all files in this folder to this
> shared group
[...]
> And finally add the different members to this group:
[...]
> Unfortunately, this does not work. If student1 creates a file in
> /export/shared/groups/carbon, it will be owned by group carbon but not
> by user carbon.
[...]
> The file is still owned by student1 and can not be edited by student2.
[...]
> The intention is to have all files in this directory also to be owned by
> this dedicated (carbon) user.
[snip]
"Also owned"? As a file can have only /one/ UID owner, how do you see
files in this shared directory being "owned"?
ISTM that you haven't clearly explained what problem you are trying to
solve, and are looking in the wrong direction for a solution.
Here's what I gleaned from your post; correct me if I am wrong...
You want to facilitate a team effort, in which all members of the team
have the ability to alter selected files, each of which may be created by
other team members.
You have not found a simple method to enable this sort of collaboration.
You have looked at placing all the members of the team in a single unix
group, but have found that files created by individual members still
carry permission bits that may exclude other group members from altering
the file.
You looked at restricting the unix group to saving files in a specially-
crafted rendezvous directory, which is marked SETGID, and follows BSD
semantics. But, this only ensures that all files written to this
directory are owned by the GROUP owner. It does not enforce your
preferred set of group permissions to permit other members of the group
to alter the contents of the file.
You are casting about for a way to ensure that no file in the directory
has permission settings that would restrict members of the group (other
than the file owner) from altering the file.
You ask if there is some way that you can ensure that all files in this
rendezvous directory are owned by a specific user; I have reason to
believe that, should this be possible, it would only make your situation
worst. Files have only /one/ UID owner; to make it such that all files in
your rendezvous directory are /owned/ by the directory's UID owner is to
ensure that none of those files are owned by their creators. Which makes
the USER permissions moot; none in the group "owns" the file, so USER
permissions don't apply.
So, group members will have to depend on each file's GROUP permissions to
permit their access and alteration; exactly the situation you are in
without having all files "owned" by the directory's UID owner.
Of course, there is a workaround for your "directory UID owns all the
files" dilemma: each user in the group must "su" to become the "directory
UID" user. And, this solution has it's own complications and issues.
Of course, you could just "bite the bullet", leave things as they are now
(all team members belong to same unix group, directory owned by group
with BSD setgid semantics), and dictate that each team member must ensure
that any file to be "shared" has GROUP WRITE access.
FWIW, you might look at setting the "sticky bit" on your rendezvous
directory: that would ensure that "a file in that directory can be
renamed or deleted ONLY by the owner of the file, by the owner of the
directory, or by a privileged process".
HTH
--
Lew Pitcher
"In Skills, We Trust"