I am a bit lost with Linux file and directory permissions. What I would like to do is have one user be able to create, delete, and rename directories, while other users are not able to do so, but they should be able to read and write to the directories as well as traverse them.
So group 'storage' has access to directory /workspace, those are the users which are not supposed to be able to create, delete, or rename directories. Group 'storageAdmin' also has access to directory /workspace, but is able to create, delete, or rename directories within.
Whenever 'storageAdmin' creates a new directory it should automatically be accessible to 'storage' such that they can read and write files within it.
Am I correct in that /workspace needs to be owned by 'storageAdmin' and be set to chmod 775 for this to work properly?
The correct permissions are 2775, setting the set gid bit too. This causes new files and directories to inherit the parent's permissions, owner and group.
Be aware though, that the standard unix permissions do not allow you to restrict access to the directory to the storage group after chgrping it to storageAdmin. Everyone has access now according to the other permission set.
Use Posix ACLs or SE Linux if you really need more fine grained access controls.
Related
Since I am having a Django
PermissionError at /
I need to change permissions on my folders. My question is what is the right level of permission for those folders which still secures my server? I use Apache on Ubuntu.
Short answer: you need to set r-x for group owner, which must be www-data, and can use rwx for owner, which must be your user; only directories which www-data need to write (as repository for media files uploaded by clients) must be rwx for group owner.
For a more specific answer you need to provide some context about your issue: where are your files placed?, when do you get that error?
I have just set up a new user for ftp connection first time. I am trying to block off all permissions on all c drive folders but their their user folder. Currently they can see files in the windows folder which I tried changing using the properties and security deny permission for user, but it didnt allow me to do it.
Whats the best way to set this up? And block all visual access to folders but their own user folder.
Any questions, let me know and I'll clarify as best as I can.
Can use bitvise to restrict users to a root directory without touching any permissions on the directory itself
we have a Windows 7 server and I've been asked to set it up so no one can move files in the root directory except for 3 users and still allow everyone to access/create files in subdirectory.
Example:
We have a drive, X:/
We don't want people to move any folders inside X:/
But in X:/SomeFolder we want people to have full permissions to create, move, and modify files.
I got the move restriction setup by disallowing delete for subfolders in the current directory, but it restricted access on sub-sub folders as well.
Anyone have a clue on how to do this?
When changing the permissions to block users from moving folders, set them to apply to This Folder Only:
(source: winhelp.us)
Assuming you have two groups, Users and Administrators, and no other permissions currently configured on X::
Grant Administrators Full Control, applied to This Folder Only
Grant Users the following permissions, applied to This Folder Only:
Traverse Folder
List Folder Contents
Read Attributes
Read Extended Attributes
Read Permissions
Create Files
Create Folders
I have Qt application which should work on multiple platforms. One of those platforms is Linux. I am completely new in Linux world.
My application need to create and manage set of data files. After reading some links about linux directory structure I decided to store data files in /var/myapp directory and in its subdirectories.
Here is the problem: if my application runs without superuser privileges then it has no rights to create /var/myapp directory. Even if i will create directory manually (with sudo) my application will not have rights to write files there.
Is it possible to temporary elevate application's permissions from Qt code to create /var/myapp directory and write files there?
Or possibly there is another place in Linux directory structure which is by default available for storing application's data files?
Only root can create directories in /var. If your application needs a subdirectory under /var, you need to create it during installation (which typically runs with root permissions), and chmod it appropriately: either create a group for users that may run your application, put /var/myapp in that group, and chmod it to 770; or just chmod the directory to 777 to allow everyone to access it. If you want to prevent writing by regular users, use 755 or 750 instead. (For data files, don't set the execute bit though: the appropriate permissions here are 666/660/644/640). Instead of octal triplets, you may prefer the more elaborate mnemoic syntax to chmod, e.g. chmod ug+x filename adds (+) the execute bit (x) to filename for the owning user (u) and group (g).
However, /var is not necessarily the best choice: /var is typically used for volatile data (temporary files etc.), as well as things that are expected to change frequently (mail, log files, etc.). Other data should go into either:
/usr/share/{appname} for system-wide data files and resources
/etc/{appname} for system-wide configuration files
~/.{appname} (old convention) or ~/.config/{appname} for per-user configuration files
/var/tmp/{appname} for temporary files
Also, you want to make the /usr prefix configurable; most distributions reserve /usr for package-managed files, except /usr/local, which mirrors /usr for out-of-distro installs (so in that case, your system-wide resources go into /usr/local/share instead of /usr/share).
You could distribute it without installation scripts, but you'd have to tell them to run it once as root... or have the app run itself as root using gksudo/kdesudo if its system wide data files do not exist.
The custom though is to make a package (.deb, .rpm, or even a .tar.gz that the user will extract himself) including all necessary files.
But linux (and OS X for that matter) are multi user systems. Are you sure your files belong in /var or /usr? If they're created at runtime as you say, don't they depend on user input? In which case you need to put them in some directory inside the user's home directory (getenv("HOME")).
I want to share a folder among all users of a group : dev. So that all files are regardless of the owner can be edited by anyone in the group.
I have created the shared folder and set the respective permissions to the folder.
When a user creates a new file in that folder it belongs to owner:dev
But the permission for the files are rw-r--r--
So other users who belong the same group are not able to edit the files.
Like default group become "dev" how can I set the default permission for the files created in that directory.
I don't want to use "umask" technique because the user will upload files into that directory throuh ftp and other tools.
This really belongs on serverfault and I already mentioned there's almost an exact duplicate there, but anyway there's a nice little solution you can use, which is the FUSE bindfs module (there's a package in ubuntu). You use it to mount one directory onto another mountpoint and can set things such as the default permissions of any files created here, their owner, group and the permissions of files already in the directory (which is what you seem to want).
I don't want to use "umask" technique because the user will upload files into that directory throuh ftp and other tools.
That's the only way to do it, unless those "other tools" are themselves able to adjust permissions.
If you have root access, you can set the default umask for everyone to 002 from /etc/bashrc (assuming bash the default shell for the users in question).
A hack (and this is less preferable to umask) is to setup a cron job that will run every minute and do a chmod -R g+w <dir>.