Develop Reference

Restrict users from storing in home directory in Linux

We have a RHEL server where multiple users have access to it through application. Application RStudio running on these servers default the workspace to the users /home folder. Though there is separate space provided for individual users, users tend to store the files onto /home filling up the /home.
Is there any possibility to restrict users from storing data to their home folders either at server level or R Studio level which would force them to use the provided location?
Though there are options to change the default workspace for all the users, due to the large number of teams each having their sensitive data, it is not possible to have a shared folder as default location.

You could create a group without write permissions on home folder and start rstudio through the command sg, which allows you to start it with the group id with reduced permissions.
The ls -l command displays directory contents in long format. The long format contains both permissions and ownership.
# ls -l
With chown you can change owner and group associated to a file/directory (-R == recursive)
# sudo chown -R user01:groupA Directory
By setting the owner and the single group, the others will have restrictions (if set) in accessing files / folders.
The chmod command is used to modify the various permissions/restrictions.
# sudo chmod -c ug=rwx,o= file1
going specifically
-c == report if the change is made
u == user
g == group
rwx == read, write, execute
o == others
=null == no permission
For create a new group you can use groupadd
# sudo groupadd rstudiogroup
You will have to set the new group created as the owner of the save destination folder and finally start the software through the command sg
# sudo sg rstudiogroup -c rstudio

linux files and folders are not inheriting parent directory permissions

I created a directory /share and gave chmod 2770 permission and chown root:stock /share.
1) When I create touch a file inside /share, I see the file has rw-rw-r-- and I don't see rwxrws---
2) When I create a directory in /share/data I see the permission as drwxrwsr-x where are the parent directory is drwxrws---
How can I get parent child files and child directories to inherent parent permissions exactly the same.

The setgid bit on a directory makes new files inherit the group from the directory, not its permissions.
The standard way of controlling the bits that get set on the creation of a file is to control the umask (askubuntu) of the creating process, not the file system.

When you create a file or directory
The owner of the new file or directory will be your effective user id (euid). You can change user id beforehand with the su other_user command (which will prompt you for the password of other_user), or sudo su other_user (which will allow you or not, possibly asking for your password, according to the settings in /etc/sudoers*). After creating the file or directory, you can change its owner with sudo chown other_user file_name.
The group of the new file or directory will be your effective group id. You can change your group id with the newgrp other_group command beforehand. If your current directory has other_group as group and its setgid bit is set, your effective group id will be other_group. After creating the file or directory, you can change its group with chgrp other_group file_name. newgrp, chgrp and setgid will work if you are a member of other_group. If you are not, they won’t: a group password mechanism is theoretically still in place, but it was deprecated decades ago and I’ve never seen anybody using it. Of course, you can always sudo chgrp other_group file_name, or even sudo chown other_user:other_group file_name if you want to change both.
The read and write permissions of the new file or directory will depend on your umask, which is normally set by your configuration files at login. The most used umask values are 022 which, for files, will give you -rw-r--r-- and 002 which will give you -rw-rw-r--. The command umask will give you your current value. You can set another value with umask new_value and it will be effective till you change it or exit your shell. Directories will have also all execution permissions set by default, unless you have odd values in umask, which will block the corresponding execution bit. E.g. a umask value of 027 will create files with -rw-r----- and directories with drwxrwx---. Please refer to documentation for a complete explanation. Also, if the parent directory has the setgid bit, the new directory will have it too. There is no way of setting the setuid and sticky bits by default, nor the setgid bit for files.
After the fact, you can always set the permissions you want with the command chmod.
That said, there is no standard command which will do what you want. However, you can easily write bash functions like the following and use them (write them in a file mycreat_functions and source mycreat_functions when needed). This will do for manually created files and directories. For file created by programs, shell redirections and the like, you will still have to correct the permissions manually.
function mymkdir () {
local parentperms
for a in "$#"; do
mkdir "$a"
# This copies all permissions of the parent,
# exactly as they are
parentperms="$(stat -c%a $(dirname "$a"))"
chmod "$parentperms" "$a"
# if I’m root...
if [ $(id -u) = 0 ]; then
chown "$(stat -c%u:%g "$a")" "$a"
fi
done
}
function mytouch () {
local parentperms newperms
for a in "$#"; do
touch "$a"
# This inherits all permissions of the parent,
# but removes the excution and setgid bits, as is
# appropriate for files.
parentperms="$(stat -c%a $(dirname "$a"))"
newperms="$(printf %o $((8#$parentperms & 8#5666)))"
chmod "$newperms" "$a"
# if I’m root...
if [ $(id -u) = 0 ]; then
chown "$(stat -c%u:%g "$a")" "$a"
fi
done
}
Note: Owner, group and permissions are stored in an inode, where there is also other information on how to retrieve the file contents; the directory entry associates the inode with the file name, and ls -i shows the inode numbers of the listed files. When you copy a file, you create a new directory entry and allocate a new inode, so everything mentioned here applies. When you move a file, you create a new directory entry in the new location, but have it point to the old inode, so that owner, group and permissions are effectively untouched. If you want them to change according to the new directory entry’s parent, you have to create a mymv function along the lines of mytouch and mymkdir above.

How to give file permission to a specific user in a Group?

I have a Group 'g1' having 2 users Alice and Bob.
I want to share a file 'file1' with both of them with different permissions.(for Alice read only and for Bob Read+write)

Assuming Bob can own the file the following should work for you.
$ chown Bob:g1 file1
First set the ownership of the file to Bob to allow for read+write access and set the group ownership to the g1 group.
$ chmod 640 file1
Set the owner to a read and write and set the group to read only. This is a common permission structure on webservers. Note that the "world" has no permissions in this structure, but $ man chmod can provide further information on file permissions and get you where you are needing to go. Additionally if you need more control over your permissions across the whole system you may want to look into Posix ACLs or SE Linux as you did indicate you are on RedHat

You may try like this in Linux:-
chown user_name file
chown user_name folder
chown -R user_name folder #recursive

How make /var/www contents editable by IDE

I followed this link to change group/user permission to add my self to www-data group
but I am still unable to edit contents in /var/www , specially with uploaded content.
This is my development environments , I dont want to go to chmod /var/www/ each time there is an upload.
While keeping contents under /var/www what are the steps to change /var/www directory permissions to able to edit contents directly from and an IDE
My login account user and group name is debianaut:
groups www-data
www-data : www-data debianaut
groups debianaut
debianaut : debianaut www-data
I login/out after making these changes. It seems straight forward that if I am user of cretain group I should get whatever permissions they hold .
please help resolve this issue

I suspect your issue is the fact that the user account has more than one group, and the default group is not the one with write permission to that folder.
While Linux allows your user access to multiple groups, it does not provide access to all of them at once. Here are some options to address this:
Change the group used while running in a shell
Change the user's default logon group
Use ACLs
New Group in a Shell
In order to operate as a different user after starting a shell, use newgrp.
Change default Group
In order to change the user's default group, edit /etc/passwd, or use a command to do the job (not sure which command, and it probably differs from distribution to distribution).
ACLs
You will likely prefer to use ACLs. See the man pages for setfacl and getfacl. ACLs (access control lists) are expanded permissions. Not all Linux systems support them, but I would be surprised if your Debian system doesn't. The following should add read-write-execute permission for user debianaut to all of /var/www:
setfacl -R -m u:debianaut:rwx /var/www
By the way - you can check the group id of a running process (such as your IDE), use ps -o gid -p <pid>.
Inheriting ACLs
Following the post here lead to the answer for inheriting ACLs.
The answer is called default ACLs in the man page. The following will set the ACL for denianaut as the default for files created in /var/www:
setfacl -R -d -m u:debianaut:rwx /var/www

I think you should change your umask to 0002:
umask 0002
This could also be useful.

For me the problem has to do with joomla configuration. You need to change the default permissions for uploaded files. This link may help you: http://forum.joomla.org/viewtopic.php?t=286584

There are two relatively simple options, none of them should involve www-data -- you don't want the webserver to have unnecessary write access to your contents.
1) Just take ownershop of /var/www for your userid that will edit the files.
2) Establish a new group, make it one of your secondary groups, and make /var/www group-writable + setgid (chmod g+s) that new group. New files in the setgid dir will have their group set to the shared group.

How to manage permissions on Linux folders?

I'm a little bit confused with Linux permissions. I'm configuring a Git Central Repository that the users access by SSH. I'm using Filesystem ACLs(link) and regular linux permissions. What I intend to do is:
Find a way in that only the users that I want will be able to list/read/write/execute the dir "/var/github" (in a way that I assign a group to the user that I want to give this kind of permissions)
The user "git" is the only user that can create new folders in "/var/github"
This is possible to do? Somes clues on how to do it?
Best Regards,

chown git:git /var/github; chmod 750 !$
Now only the group git can read the folder and only the user git can modify it.

You can use access control lists to grant access to multiple groups. Here's an example session (using Ubuntu, but it should be the same for CentOS) that gives the grp1 group read access and the grp2 group read, write and execute access:
$ touch foo
$ setfacl -m "g:grp1:r--,g:grp2:rwx" foo
$ getfacl foo
# file: foo
# owner: me
# group: me
user::rw-
group::r--
group:grp2:rwx
group:grp1:r--
mask::rwx
other::r--

Make sure that along with the user "git" that there is a "git" group. Add all the users to the group that you will give access to. Change the ownership properties of your directory to user and group git, and then the permission of 750. The ownership and mode commands are as follows:
chown git:git /var/github
chmod 750 /var/github
The permission of 750 lets the user do pretty much anything in the folder and only the members of the group "git" read and possibly execute in that folder. What programs and commands you use for your user management is up to you.