I would like to create a directory under linux (or mount one e.g.: nfs), where:
every user can create files
but only the root user can modify the created files (overwrite, delete, or move them)
How can this be done, and how secure are these solutions?
(for example: sentinel script, umask, etc.?)
Thanks,
krisy
I would try to change file permissions after creation using inotifywait. This (untested) snippet might help a bit, but is definitely not very elegant. It sets root as the owner of all created files in /path/to/dir and removes write-permission for group and others.
while true; \
do inotifywait -e create /path/to/dir/ && \
chown root /path/to/dir/* && \
chmod g-wo-w /path/to/dir/*; \
done
Hope that helped a bit
*jost
If it is also ok that the user that created the file can change them, you can use the sticky bit. This is the first digit if you give chmod a 4 digit argument.
su -
mkdir stickydir
chmod 1775 stickydir
chown user.group stickydir
Now all members of group can write to the dir, but only the user that created a file or root can change the files
su - user1 #member of group
touch stickydir/stickytest-user1 #ok
su - user2 #member of group
touch stickydir/stickytest-user2 #ok
rm stickydir/stickytest-user1 #permission denied
rm stickydir/stickytest-user2 #ok
Related
I have few directories with files on debian 9 system. I want to disable privilege to read these directories for everyone than owner, but I want to let some users list files in this directories only by my own script in bash.
I change privileges to directories and to my script but i get "permission denied" when i try using it. I understand why, but cant fix it.
OKAY after we had a small chat I understand the following:
that you (your user is called user0) have a directory with some files in it, and you have a special category of users (user1,user2...usern) on your machine that you want to give access to this folder. First you must create a group called for example "cowboys" witch the users who will be privileged to read, and execute the folder will add.
# create the group cowboys
groupadd cowboys
# add user1, user2, etc to the group
usermod -a -G cowboys user1 user2 .... usern
Lets admit your folder that you want to give access to is called "/somehow/there/dictionary"
So after you created the folder and joined it, you chown it to you and the group cowboys
chown user0:cowboys /somehow/there/dictionary
in the next step you must chmod the folder it in a way that you can read(400) write(200) and execute(100), cowboys can read(40) and execute(10) and rest of the word can nothing(0).
chmod 750 /somehow/there/dictionary
the last step is that you now must chmod the files in the derectory
1) The executable files you must chmod very similar to the way you chmod the folders, because folders need to have "executable" rights for one to "cd" in the folder
chmod 750 /somehow/there/dictionary/*
2) the non executable files you will chmod like this :
chmod 640 /somehow/there/dictionary/*
and this should do the trick.
I want my php script to be able to create file, edit, and delete it, so I need to give it permissions to do so in Linux.
I've done this with one of the stackoverflow answers with this code:
sudo chown -R www-data:www-data .
But when I do so, I lose my user access to files - so I can't open them with gedit for example until I change permissions back like so:
sudo chown -R igor /var/www/html/demo/myDir
I think I need to give permission to Apache, but leave my access as well. I feel there is some easy answer to make it work, but I can't find one. Any suggestions?
You are changing the owner of the files, if you want to change the permission of the files without changing the owner you need to use : chmod.
For example if you want to read write and execute on the current folder you can use: chmod 777 .
If what you want is the two users have the same permissions over the folder you could add your user to the group www-data (assuming that you are in the files folder):
sudo usermod -a -G www-data youruser
sudo chgrp -R www-data .
sudo chmod -R 770 .
I would like to ensure that in only one particular directory on linux server will have newly-created directory setup particular group?
I.e.:
I have directory /data with ownership "user1:global_group" and every new subdirectory should have group ownership the same. Once I create directory by using mkdir /data/subdir1 under user1 or user2 the ownership is "user1:grp_user1" or "user2:grp_user2".
How can I manage the subdirectory ownership?
Many thanks for any ideas ...
You need chmod for that.
Apply this: chmod g+s directory on a parent directory. Every newly created file and directory, recursively, will have the group of the parent directory.
So:
chgrp target_group target_directory
chmod g+s target_directory
mkdir -p target_directory/subdirectory/another_one
ls -l target_directory/subdirectory/another_one
And observe, how another_one directory has the desired group.
Use -R or --recursive option. And try chgrp --help first.
Someone please advise how to set the directory to chown root:root and chmod 0600, so that everything in it was created or copy the same settings as configured directory? thank you
Your question is not that clear ... but I think that perhaps what you're looking for is recursive application to apply chown and chmod settings to all files in the directory. This can be done (in both cases) using the -R flag, for example:
chown -R root:root mydir/*
I think you are looking for chmod -R 0600 * and chown -R root:root *, but your question is not entirely clear.
I think you are looking for the -R (recursive) flag - you can use
chown -R root:root /your/directory/full/path
and
chmod -R 0600 /your/directory/full/path
If instead you're copying an existing directory and want to retain permissions you can use
cp -a /current/path /new/path
and the -a flag will keep ownership and permissions the same
I think I understand your question now: you're trying to set the default permissions and ownership for new files in the directory.
For ownership, if you add yourself to the group that owns the directory (root in this case), then new files you create will be owned by that group.
For permissions, you can set default permissions for new files using umask:
umask 077 # grant only user r/w permissions
or using setfacl: see this answer for more information.
This question already has answers here:
How do I change permissions for a folder and its subfolders/files? [closed]
(19 answers)
Closed 4 years ago.
I have a web directory /www and a folder in that directory called store.
Within store are several files and folders. I want to give the folder store and all files and folders within the store folder all permissions.
How do I do this? I am guessing via .htaccess.
If you are going for a console command it would be:
chmod -R 777 /www/store. The -R (or --recursive) options make it recursive.
Or if you want to make all the files in the current directory have all permissions type:
chmod -R 777 ./
If you need more info about chmod command see: File permission
If by all permissions you mean 777
Navigate to folder and
chmod -R 777 .
You can give permission to folder and all its contents using option -R i.e Recursive permissions.
But I would suggest not to give 777 permission to all folder and it's all contents. You should give specific permission to each sub-folder in www directory folders.
Ideally, give 755 permission for security reasons to the web folder.
sudo chmod -R 755 /www/store
Each number has meaning in permission. Do not give full permission.
N Description ls binary
0 No permissions at all --- 000
1 Only execute --x 001
2 Only write -w- 010
3 Write and execute -wx 011
4 Only read r-- 100
5 Read and execute r-x 101
6 Read and write rw- 110
7 Read, write, and execute rwx 111
First Number 7 - Read, write, and execute for the user.
Second Number 5 - Read and execute for the group.
Third Number 5 - Read and execute for others.
If your production web folder has multiple users, then you can set permissions and user groups accordingly.
More info :
Understanding File Permissions: What Does “Chmod 777″ Mean?
What file permissions should I set on web root?
Why shouldn't /var/www have chmod 777
You can also use chmod 777 *
This will give permissions to all files currently in the folder and files added in the future without giving permissions to the directory itself.
NOTE: This should be done in the folder where the files are located. For me it was an images that had an issue so I went to my images folder and did this.
Yes, very right that the -R option in chmod command makes the files/sub-directories under the given directory will get 777 permission. But generally, it's not a good practice to give 777 to all files and dirs as it can lead to data insecurity. Try to be very specific on giving all rights to all files and directories. And to answer your question:
chmod -R 777 your_directory_name
... will work
for mac, should be a ‘superuser do’;
so first :
sudo -s
password:
and then
chmod -R 777 directory_path
This didn't work for me.
sudo chmod -R 777 /path/to/your/file/or/directory
I used -f also.
sudo chmod -R -f 777 /path/to/your/file/or/directory