I want to give specific users permissions to specific folders, with different levels of permissions (Read, Write, Execute) in Linux. And to do the same for some groups.
For example I want to give the user: sigmundlucas permissions (Read, Write) for promotional_material
Another example is that I want to give the group: testers permissions (execute) for development_project_data_directory
I need to do all of this from the root account as the folders in question don't allow permission to use chmod when signed into the user
I need to add that multiple groups/users need to access some of the files
This is normally accomplished with chown and groups!
Make some groups for you users to be members of
Then chown the directory to be :<group>
For example
groupadd mygroup # create a new group
usermod -aG mygroup myuser # add the group to the user's info
chown :mygroup target_directory # set the group to own the directory
chmod 770 target_directory # root and the group can enter/read/write
You can calculate the chmod with a website like https://chmod-calculator.com/ if you're not used to the numbers
Gotchas
directories need to be executable to be entered
users must be able to read all the intermediate paths to somewhere you want them to be able to write
Related
I have few directories with files on debian 9 system. I want to disable privilege to read these directories for everyone than owner, but I want to let some users list files in this directories only by my own script in bash.
I change privileges to directories and to my script but i get "permission denied" when i try using it. I understand why, but cant fix it.
OKAY after we had a small chat I understand the following:
that you (your user is called user0) have a directory with some files in it, and you have a special category of users (user1,user2...usern) on your machine that you want to give access to this folder. First you must create a group called for example "cowboys" witch the users who will be privileged to read, and execute the folder will add.
# create the group cowboys
groupadd cowboys
# add user1, user2, etc to the group
usermod -a -G cowboys user1 user2 .... usern
Lets admit your folder that you want to give access to is called "/somehow/there/dictionary"
So after you created the folder and joined it, you chown it to you and the group cowboys
chown user0:cowboys /somehow/there/dictionary
in the next step you must chmod the folder it in a way that you can read(400) write(200) and execute(100), cowboys can read(40) and execute(10) and rest of the word can nothing(0).
chmod 750 /somehow/there/dictionary
the last step is that you now must chmod the files in the derectory
1) The executable files you must chmod very similar to the way you chmod the folders, because folders need to have "executable" rights for one to "cd" in the folder
chmod 750 /somehow/there/dictionary/*
2) the non executable files you will chmod like this :
chmod 640 /somehow/there/dictionary/*
and this should do the trick.
I would like to share a folder called 'files' with user1 and user2 in my Linux account. Is there a way to set the authorizations to read write or execute for only these two users and keep it secure from other users?
To my knowledge, it is only possible to do this for a usergroup as a whole.
Thank you
If your Linux has a "modern" filesystem (ext3/ext4,... )you can achieve this with POSIX ACLs:
Enable ACLs for the FS. --> only required for ext3 and ext4 on kernels older than 2.6.38. All other FS with ACL-support have them automatically activated.
mount -o remount,acl /
tune2fs -o acl /dev/<partition>
Give user1 access to the folder files: (r/w/x)
setfacl -m user:user1:rwx /home/philipovic/files
Give user2 access to the folder files: (r/w/x)
setfacl -m user:user2:rwx /home/philipovic/files
If your linux does not support ACLs you have to create a group:
Create a group
Add the desired users to that group
chgrp the directory to that group, and give permissions with chmod:
chgrp groupname /home/philipovic/files
chmod g+rwx /home/philipovic/files
note: in the above examples we are using r/w/x permissions and therefore giving the users/group FULL controll! don't forgett to change them to the desired permission.
I was wondering if anyone could explain a bit on Linux permissions for me. I have two groups
Group A - Normal Users
Group B - File Changing group
I want group B to be pretty much exactly the same as group A other than group B are able to change 'message of the day' how could I set it so they have write access to MOTD and group A only have read access?
With ordinary UNIX u-g-o permissions, you can only assign a single UNIX group to any given file. In your case, since "normal users" presumably means "all users", you could just chmod the MOTD file to 664 (group read-write, all read-only), and chown it to root:file_changers (file owned by root, and assigned to the file_changers group).
With Linux ACLs, you can assign multiple groups to a file. Not all filesystems support ACLs. You can use setfacl to alter the permissions:
setfacl -m g:regular:r motd
setfacl -m g:file_changers:rw motd
Note that, in my opinion, ACLs can often be overkill. They can make permission management a hassle if you aren't prepared for them. Consider carefully if you need them; otherwise, stick to the simpler UNIX permission system.
Solution without ACL:s:
You can move the motd file in a directory that is readable by group A and make the file writable by group B. Then place a symlink in place from the original location to the new location.
Example (assuming motd is in /etc/motd):
# mkdir /etc/motd-dir
# mv /etc/motd /etc/motd-dir/
# chown groupA /etc/motd-dir
# chown groupB /etc/motd-dir/motd
# chmod 750 /etc/motd-dir
# chmod 664 /etc/motd-dir/motd
# ln -s /etc/motd-dir/motd /etc/motd
This solution requires that all members of group B must also belong to group A so they can access the directory.
I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue
I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www
I think you should change your umask to 0002:
umask 0002
This could also be useful.
For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584
There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.
I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,
chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.
You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--
Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.