We have two users:
user1
user2
They both belong to the group 'admin'.
We have a directory that has been set to 775. The directory's group has been changed to 'admin'. Each user has full access to write into that directory, though when a user writes a new file to the directory, the group permissions of the folder are not persisted to the file that was written.
How should we make it so that files inherit the directory's group permissions?
Clarification: when a new file or directory is written, it uses the users' group as the group of the new file, rather than that of the directory, which makes sense - but how do I not make that happen?
You can propagate group permissions by setting the directory's setgid bit (chmod g+s). This may not be portable across all *nixes and all file systems.
http://en.wikipedia.org/wiki/Setuid#setgid_on_directories
http://www.gnu.org/software/coreutils/manual/html_node/Directory-Setuid-and-Setgid.html
If you are using ext3 or ReiserFS, this page about creating a Linux file server may help. Specifically step 7 suggests the following command.
setfacl -d -m g:sales:rw /groups/sales
I think you should look here.
As the site says, "Unix doesn't support the idea of inherited permissions."
However, there is a section on ACLs (Access Control Lists), which I think is what you are looking for. By setting up an ACL, you can have your files inherit the same ACL from the directory, which I think is what you are asking for. setfacl is the shell command that will be what you need to look into.
Hope that helps!
Related
How can I prevent .git/index from constantly changing its permissions and ownership?
I run ls -al .git/index and see that the file is owned by root.
I change the permissions with sudo chown -R $USER:USER and sudo chmod -R 775 .git
I even tried deleting the lock file with rm -rf .git/index.lock
The permissions update but then a few minutes later they change back to being owned by root and 740 which breaks the git commands I'm attempting.
I set the global git config via Ansible so I'm wondering if that messed something up? Is there a global file I need to modify?
When Git writes the index, the way it does so is to create a new file called .git/index.lock (with O_EXCL), adjusts its permissions according to core.sharedRepository, and then rename it over top. Git does not offer a way to rewrite the file in place.
If this file is being created such that it's being owned by root, then root is creating the file because it's updating the index. That probably means that some process owned by root is modifying the working tree.
If that wasn't your intention, then the best thing to do is find that process and stop it from modifying the working tree. It's not a good idea for multiple users to modify the same working tree, and if your process owned by root is reading files out of the working tree and it's shared with another user, that could lead to a security vulnerability.
If you're certain what you're doing is safe and you want to modify the permissions with which files in the .git directory are created, you can use core.sharedRepository to set them. For example, you could use the value 0664. Note that Git will handle the executable bit automatically, and the index should not be marked executable.
If you want to always use the same group for your repository, you can set the setgid bit on all the directories in the repository and then set their group to the appropriate value. Assuming you also set core.sharedRepository to a value that makes things group writable, you can then modify the repository with any user in that group, and things should work. Note that this may still have security implications if one or more of those users are untrusted or have lower privileges, so you should be careful.
I am new to ansible and work on my setup. I see that the list of hosts is per default in /etc/anisble/hosts and changed with root privileges. In tutorials I have seen solutions with the host file in user space.
I would prefer to have all ansible setup under my home directory. What is the advantage of putting the hosts file in /etc respective the reason that the default location is there?
Thank you for clarification!
From a security perspective, putting it in the /etc directory is the safest initial option for a few reasons.
If Ansible defaulted to using an inventory file in the 'current directory' the playbook is executed in, then it would be easy for a bad actor to place an inventory file in other commonly used directories that are accessed by multiple people (such as /tmp, /var/tmp, etc). If they succeeded in getting someone to execute a playbook in that directory, it could perform additional actions the user didn't expect.
If Ansible default to using an inventory file in your home directory, this could open up that user to exploits by someone sending them a malicious email attachment or other method to write a file in their home directory that they weren't expecting.
I have made a script for installing a control panel.
I've uploaded the script to a server so people can wget it to their machines.
The only issue is that you have to chmod it after download. Is there a way to remove this step? How would I go about keeping 755 perms on the downloaded script?
When a user downloads the file, the file will automatically get some default permission. In UNIX, each user will have a default set of permissions which apply to all files created by that user, unless you explicitly set it to something else.
This default is called the umask, after the command used to change it. It is either inherited from the login process, or set in the .shrc or .login file which configures an individual account, or it can be run manually.
Typically the default configuration is equivalent to typing 'umask 22' which produces permissions of:
-rw-r--r-- for regular files, or
drwxr-xr-x for directories.
In other words, user has full access, everyone else (group and other) has read access to files, lookup access to directories. As you see above, the execution access is not default for files.
Hence you need to explicitly change it.
I have a file created by oracle user with permission rw-r--r-- and the parent folder has rwxrwsr-x permission. Now, there is a requirement for batch user to edit this file. But, as you can see, the file can be edited only by the owner i.e Oracle user.
I tried using chmod command to change the permission of the file but batch user is not having permission to execute this command.
Is there any fix for this issue?
Can we do some configuration in UNIX so that it allows batch user to edit the file created by oracle user.
Edit: Corrected the parent folder permission. Earlier i mentioned it as rwxrw-r-x
The directory permissions for 'group' (rw-) are unusual (rwx or r-x would be more usual).
You don't identify which group the file belongs to, nor which group the directory belongs to, nor which group(s) the batch user belongs to, but it probably doesn't matter.
Update after quoted permissions on directory changed: Given that the group can read the file, and create files in the directory, then if your batch user belongs to the group that owns the directory, the batch user can make a copy of the file (in the editor), remove the original file, and write back a new file in the directory.
Does your system support ACLs (access control lists)? If so, then the 'oracle' user as the file owner could grant the batch user read/write access to the file even though the normal Unix permissions don't show that it could happen.
Can you persuade the 'oracle' user to create the file belonging to an appropriate group (one which the batch user also belongs to) and with appropriate group permissions.
If nothing works there, then you are reduced to SUID programs in some shape or form - maybe SUID 'oracle' or SUID 'root'. One option was mentioned in a comment - the sudo command with some vaguely appropriate arguments.
I notice you have the +s bit set on the directory.....
if you change the directory owner to that of the batch user the owner of any newly created files should be owned by that user and you can then do what you want with them
If your batch user is in the same group as the oracle user, you can do this:
chmod g+w filename
This should make the file writable for the group.
Run the UNIX command groups to determine which groups a user is in, or check /etc/passwd, /etc/group
I have a shared directory. The directory's groupid is dev and many users are members of the group dev.
Now I need to give all the files created under the folder to have the same permission say, rwxrwxr--.
How would I do that? One solution that came to my mind is:
I would need a 2 shell scripts executable by all members of the group. One script should change the umask after checking that the current directory's groupID is dev. The other should change the umask to the previous default value.
Please let me know how to do this in shell script.
You can avoid the use of shell scripts by applying a default POSIX ACL (Access Control List) to the shared directory. e.g. On linux:
setfacl -m d:u::rwx,d:g::rwx,d:o::r,d:g:dev:rwx /shared/dir
The default ACL applied to /shared/dir above overrides the user's umask setting when new files are subsequently created in /shared/dir. The following is cut from the acl(5) man page on linux:
OBJECT CREATION AND DEFAULT ACLs
The access ACL of a file object is initialized when the object is
created
with any of the creat(), mkdir(), mknod(), mkfifo(), or open()
functions.
If a default ACL is associated with a directory, the mode parameter
to
the functions creating file objects and the default ACL of the
directory
are used to determine the ACL of the new object:
The new object inherits the default ACL of the containing directory
as its access ACL.
The access ACL entries corresponding to the file permission
bits are modified so that they contain no permissions that are not
contained
in the permissions specified by the mode parameter.
Create a single shell script to copy files into the shared directory. In that shell script, set the permissions on the file after copying. Make sure the directory has the SGID bit set; all files created in the directory will automatically belong to the group that owns the directory - dev in your scenario. Note that MacOS X effectively always has the SGID bit set on directories; that is, when a file is created, its group is the group that owns the directory.
Chastise anyone who self-evidently does not use the shell script, leaving files with the incorrect permissions.
Worry about whether all files should be executable; documents should not.
Worry about whether all files should be writable; where is the version control system in all this?
(I'd be happier with 444 permissions on the files - except for the few programs where 554 might be sensible.)
The question of the title doesn't seem related to the question in the body, but to answer the question in the title:
id=$( stat -f %g directory )