Wednesday, August 6, 2008

Working with Groups and Shared Directories.

There are three special sets of permissions that can be set to files and folders.
namely the Sticky Bit, 1770 (+t) the Set Group ID (sgid) 2770 (g+s) and the Set User ID (suid) 4770(u+s)

The Sticky bit and the sgid permissions are useful to set onto folders that are shared and accessed by a group of users.

the suid permission i will explain in another post since it is not relative to this topic.

Sticky Bit:

The sticky Bit sets permissions to a Directory that allows for only the owner of a file to be able to delete the file.
when the sticky bit is set users are only allowed to delete files that they created.
to set the sticky bit onto a folder simply type
chmod 1770 /folder_name
or
chmod +t /folder_name

eg chmod 1770 /marketing
or chmod +t /marketing

this would mean that every file created in the /marketing folder can only get deleted by the user who created that file.

Set Group ID (Sgid):

The sgid permission set onto a directory will insure that every file that is created inside that directory will inherit its permissions from the directory group and not from the person who created the file. This is essential in shared directories as it allows all users who are part of the group to have access to the files in the directory. an FTP shared directory for example would have the sgid permission set so that all files uploaded into the ftp folder would inherit the groups permission and not the permissions of the person who uploaded the file.

to set the sgid onto a directory simply type

chmod 2770 /folder_name
or
chmod g+s /folder_name

eg chmod 2770 /marketing
or chmod g+s /marketing

it makes sense to set both the sticky bit and the sgid onto a group directory. To set both permissions onto the same directory type
chmod 3770 /folder_name
eg chmod 3770 /marketing

lets demonstrate this in a real life scenario. We need to setup a group and a shared folder called Marketing and we want clive, jenny, ian and anthony to all have access to the Marketing folder
we need them all to be able to save files into the folder and we need them to be able to edit their own files but we do not want them to be able to delete each others files.

First we need to create the marketing folder

mkdir /marketing

next we need to create the marketing group that clive, jenny, ian and anthony are all part of. a quick way to do this is to type
groupadd marketing
and then edit your /etc/group file and add the users seperated by commas that you want to have access to the group were you find marketing:x501: (the users must exist on the system)
like so
marketing:x:501:clive,jenny,ian,anthony
next assign no specific user and the marketing group to have ownership to the group. type
chown nobody.marketing /marketing
next we want to assign the sticky bit as well as the sgid to the /marketing folder, so that all files created in the /marketing folder are accessible by everybody who is part of the marketing group
but only users who created the files are able to delete them.
type chmod 3770 /marketing

Done.

No comments: