views:

940

answers:

4

I have a bunch of long-running scripts and applications that are storing output results in a directory shared amongst a few users. I would like a way to make sure that every file and directory created under this shared directory automatically had u=rwxg=rwxo=r permissions.

I know that I could use umask 006 at the head off my various scripts, but I don't like that approach as many users write their own scripts and may forget to set the umask themselves.

I really just want the filesystem to set newly created files and directories with a certain permission if it is in a certain folder. Is this at all possible?

Update: I think it can be done with POSIX ACLs, using the Default ACL functionality, but it's all a bit over my head at the moment. If anybody can explain how to use Default ACLs it would probably answer this question nicely.

+2  A: 

To get the right ownership, you can set the group setuid bit on the directory with

chmod g+rwxs dirname

This will ensure that files created in the directory are owned by the group. You should then make sure everyone runs with umask 002 or 007 or something of that nature---this is why Debian and many other linux systems are configured with per-user groups by default.

I don't know of a way to force the permissions you want if the user's umask is too strong.

Norman Ramsey
A: 

Well, that really depends on the file system. You won't find a file system in the kernel that does not obey the umask settings given by the user, except in special cases like versioning file systems where files in the past are treated as immutable.

So, in essence, use umask .. or write a FUSE wrapper that does what you want. Even if you set the sticky bit, the owner's last call to umask is what the file system is going to obey.

What I'm not sure of is, does the setuid/setgid bit count as the owner when the umask is modified? I.e. if /bin/foo is setuid 0, and uid 5003 runs it, I think the sticky bit would prevail on any files that /bin/foo modifies as root for uid 5003.

Edit, as others have mentioned, POSIX ACLs might be useful. Here is a good tutorial on getting to know and use them. The problem with ACLS (especially on older installs) is that they may not be turned on for any given FS that supports them, likewise some file systems support only very small access lists.

Tim Post
+1  A: 

It's ugly, but you can use the setfacl command to achieve exactly what you want.

On a Solaris machine, I have a file that contains the acls for users and groups. Unfortunately, you have to list all of the users (at least I couldn't find a way to make this work otherwise):

user::rwx
user:user_a:rwx
user:user_b:rwx
...
group::rwx
mask:rwx
other:r-x
default:user:user_a:rwx
default:user:user_b:rwx
....
default:group::rwx
default:user::rwx
default:mask:rwx
default:other:r-x

Name the file acl.lst and fill in your real user names instead of user_X.

You can now set those acls on your directory by issuing the following command:

setfacl -f acl.lst /your/dir/here
innaM
can you leave off the user list if they are all a member of the same group, and just use the group permissions?
David Dean
I was asking myself the same question. It's been a while since I set this up. But every time I get a new user (in the same group as the others), I forget to update the list and I'll get complaints about the new user not being able to write/delete files. So the answer is: No, you can't.
innaM
+1  A: 

Check bellow link, I explained here with an example.

Can you inherit file permissions from parent directory

kvmreddy