I have a problem with a group writable directory. Scenario: I have a
directory that needs to be able to allow group read, write, delete,
modify, and the group should own all files/subdirectories therein.
Should be easy, right? FWIW, this is on SuSe 10.2 Server.
I created a group to contain all of the users, named testgroup.
groupadd testgroup
I then created a series of users to add to the testgroup:
useradd -G testgroup -md /home/testuser1 testuser1
...
Then, I created the directory all need to be able to read and write to:
md /home/testdir
chgrp -R testgroup /home/testdir
chmod g+w /home/testdir
ls -al /home
drwxrwxr-x 2 nrogers testgroup 48 2009-06-15 23:12 testdir
I've tried setting sticky bits and setgid bits on testdir, and I still
have to manually go in and change ownership, and delete/modify aren't
working. Any thoughts? What's the best way to do this other than a
cron that runs every 5 minutes?
I would first try using acls instead. But I have had a similar
situation where I needed to enforce a bit more complex permission
structure and I had a horrible time getting the inheritance to work
out right. I ended up writing a small python daemon that watched for
inotify events and fired off aubprocesses to fix permissions. Since I
was monitoring with inotify it only fired off the subprocess when a
file was created or moved. Im not a developer so the code is probably
ugly but it worked last time I tried it. If you want it let me know
and I'll try to dig it up.
On Jun 15, 2009, at 11:17 PM, Nick Rogers <nro...@gmail.com>
> working. Any thoughts? What's the best way to do this other than aI would first try using acls instead.
> cron that runs every 5 minutes?
I'm curious why you'd go the route of ACLs when the OP's requirement is specifically the situation the group sticky bit is designed for.# chgrp project /path/to/directory# chmod 2775 /path/to/directoryAnd place everyone you want to have permissions to that location in the 'project' group.Is your need for ACLs related to having a more complex permissions scheme?
My initial reason for using ACLs was because I had a more complex
permissions schema. But after using ACLs for a while almost any time I
need to give different permissions based on group or user I default to
ACLs. Its simpler for me to just use the same thing all the time. Since I
am already using ACLs if I need to do something more interesting
permission wise its not a "chore" to do so.
Assuming the tree of files starts at /mnt/share, and the name of the
group you want to have controll is groupnamehere, run these comands:
find /mnt/share -type d -exec chmod -c g+rwxs,uo-rwxst '{}' \;
find /mnt/share -type f -exec chmod -c g+rw,uo-rwxst '{}' \;
chgrp groupnamehere -c -R /mnt/share
You can further put them in a cronjob, and they will only send you an
email if there have been some deviations from the permissions schema
which you should probably investigate. Also, be advised the above
lines remove permissions from 'others'.
> Then, I created the directory all need to be able to read and write to:
> md /home/testdir
> chgrp -R testgroup /home/testdir
> chmod g+w /home/testdir
> ls -al /home
> drwxrwxr-x 2 nrogers testgroup 48 2009-06-15 23:12 testdir
>
> I've tried setting sticky bits and setgid bits on testdir, and I still
> have to manually go in and change ownership, and delete/modify aren't
> working. Any thoughts? What's the best way to do this other than a
> cron that runs every 5 minutes?
SGID directories and changing the default permissions mask is the
correct way to go about this. You shouldn't ever have to change the
UID of files and new files will inherit the GID of their parent
directory if the new files are created by a user who was a member of
that GID when he/she logged in. The UID of files in this scenario
will only be relevant for determining who created the file.
As a few people have mentioned so far, Posix ACLs (setfacl and
getfacl) offer quite a bit of flexibility. They however do tend to
make things harder to remember or understand later. They also require
the support for extended attributes which is less of a problem these
days, but something to think about. Rsync didn't used to be able to
copy xattrs.
Setting the umask is less than ideal because it affects more than the
specific trees of directories you have in mind. You can either change
everyone's umask for all things, or just some users for all things.
GNU+Linux does not implement recursive permissions or ownership, at
all. The closest thing to it is setting sgid on a directory. This
causes all newly created files and directories within that directory
to be created with the same groupID as their parent if the user
creating them is a member of that group, and with their sgid bit set
if they are a directory.
> I then created a series of users to add to the testgroup:
> useradd -G testgroup -md /home/testuser1 testuser1
I would also advise against assigning a special purpose group as a
user's primary group. Instead, create the user first, and them to the
group. Trust your defaults unless you completely understand, and
disagree with them.
useradd testuser1
usermod -G testgroup -a testuser1
> I created a group to contain all of the users, named testgroup.
> groupadd testgroup
Think of groups as access lists, not as groups of people. (i.e.
create one group per distinct resource, not one group per department
in the company) Groups can not contain other groups.
If your users are working with this directory through cifs, samba
gives exceptional control over how they may interact on a per-share,
per filetype basis. This includes masking permissions.
create mask = 0660
directory mask = 2770
force create mode = 0660
force directory mode = 2770
That would have the same effect as using umask, but only on that share.
----------snip--------------
postgres=# create database dspace;
CREATE DATABASE
postgres=# \l
List of databases
Name | Owner | Encoding
-----------+----------+----------
dspace | postgres | UTF8
postgres | postgres | UTF8
template0 | postgres | UTF8
template1 | postgres | UTF8
(4 rows)
postgres=# GRANT ALL ON dspace.* TO dspace@localhost IDENTIFIED BY "mypassword";
ERROR: syntax error at or near "TO"
LINE 1: grant all on dspace.* to dspace@localhost identified by "dsp....
----------------snip---------------
Thanks!
--
Greg Lawson
Rolling Hills Consolidated Library
1912 N. Belt Highway
St. Joseph, MO 64506
Maybe try:
GRANT ALL ON dspace TO dspace@localhost IDENTIFIED BY "mypassword";
Notice I removed the .* after dspace.
More info at: http://www.postgresql.org/docs/8.1/static/sql-grant.html
Jonathan
Err.
Before you do the grant statement you probably need to create that user:
http://www.postgresql.org/docs/8.3/interactive/app-createuser.html
http://www.postgresql.org/docs/8.3/interactive/sql-grant.html
GRANT ALL PRIVILEGES ON dspace TO dspace;
http://www.revsys.com/talks/kulua/basic-postgresql/basic-postgresql-administration.pdf
Jonathan
Can anyone help me with some postgresql syntax?
postgres=# GRANT ALL ON dspace.* TO dspace@localhost IDENTIFIED BY "mypassword";
ERROR: syntax error at or near "TO"
LINE 1: grant all on dspace.* to dspace@localhost identified by "dsp....
Can anyone help me with some postgresql syntax?
postgres=# GRANT ALL ON dspace.* TO dspace@localhost IDENTIFIED BY "mypassword";
ERROR: syntax error at or near "TO"
LINE 1: grant all on dspace.* to dspace@localhost identified by "dsp.....
I would also advise against assigning a special purpose group as a
user's primary group. Instead, create the user first, and them to the
group. Trust your defaults unless you completely understand, and
disagree with them.
useradd testuser1
usermod -G testgroup -a testuser1
No, I actually meant that I recommend not messing with the primary
group, and just adding them to a secondary group for each resource
they should be allowed to access. In my mind, if business logic could
dictate they need access to some resource today, they will likely
eventually need equal access to some other resource in the future.
No, I actually meant that I recommend not messing with the primary
> Your syntax is off. -g is the primary group, -G is the secondary group. He
> was assigning them correctly in his original post.
group, and just adding them to a secondary group for each resource
they should be allowed to access. In my mind, if business logic could
dictate they need access to some resource today, they will likely
eventually need equal access to some other resource in the future.
If you're created the database already you just need to do:
CREATE USER dspace PASSWORD 'secret';
User's have passwords, for the system as a whole, not a particular
database which might be confusing you. You control which users can
access what databases ( and from where ) by editing pg_hba.conf in
your PostgreSQL data directory.
Hope that helps!
Can see their man pages.
I personally think the postgresql documentation for sql syntax is great
though.