Geek Answers Handbook

Linux directory permissions for different groups

I have two directories: "public" and "private". I have three users: "chris", "john", "dan". I have two groups: pub, priv and god.

  • The god group must have full access to the public and private.
  • The pub group should be the only group that has access rights to the public
  • The priv group should be the only group that has access rights to private.

As root:

useradd chris

useradd john

useradd dan

usermod -g god chris

usermod -g pub john

usermod -g priv dan

chgrp god public private

chgrp pub public

chgrp priv private

su chris

Like "chris":

cd public/

touch test = permission allowed

The same is for other users ... in the "dan" section I do not have permissions in the "private" directory, althou "dan" is a member of the "priv" group.

Do you have any ideas?

+8
linux permissions
source share
4 answers

Well, I know this is relatively old, but twalberg is correct: in fact, this is a relatively simple way to do this using the POSIX ACL. They existed from the late 90s - early 2000, so I do not know why more people do not use them.

How to do it: Do what you have already done, just run this command:

 # setfacl -mg:god:rwx public private

and in one team you get what you want. You will spend forever trying to figure out how to do this using ONLY traditional unix permissions.

Mikic advice can still be good (depending on what you are trying to do), and it can be more straightforward to link as few groups as possible in your permissions (or maybe you want to make it clear that "chris" not an ordinary user, but an administrative user, again it depends on what you want to build).

I suggested something closer to what you are trying to execute, because there may be situations when you are trying to provide additional user / group access to the directory, but you do not want to choose between "chris" not to access these two directories, but chris will gain access to all other files and directories pub and priv that it can access. With ACLs, you don’t need to do these options, so they have been added and are now the main part of most Unix platforms (both BSD and Linux).

+15
source share

You said that the pub group should be the only group that has the rights to public. But right before that you said that β€œgod” must also have access. Thus, "pub" cannot be the only one that has access. The same goes for priv.

You also say:

I have two groups: pub, priv and god.

Well, these are three groups. (Reminds me of this famous quote: "In this world there are three kinds of people: those who can count, and those who cannot" .: -P)

Your basic concept seems wrong. How it works is pretty simple. Create two groups: pub and priv. Put all users who need access to directories. Users who need access to both directories must belong to both groups.

In this case, "chris" should be placed both in the "pub" and in the "private" group. "john" should be added to the "pub" group. "dan" should be placed in a "private" group.

What you were trying to do was make the directories belong to two groups. It's impossible. These are users who can be part of several groups, not files or directories. You just got it back :-)

+4
source share

There are two problems in your approach. The first one is:

 chgrp god public private chgrp pub public

With the second command, you canceled the effect of the first. The public directory now belongs to the pub group, and not to god .

Secondly, you probably did not give write access to the public directory to group it (the fact that the user who runs the touch command does not belong to the directory group).

Try the following:

 chmod 770 public

and do similar with other directories. However, what you are initially trying to achieve is impossible, because a directory can belong to only one group. Nikos explained this in detail in his answer - place the user in more groups.

+2
source share

You will need to use a file system that supports ACLs. As mentioned in other answers, group ownership of pub and priv possible with basic Linux permissions, but ACL is required to provide access to the god group, since files / directories can have only one group tag. Most existing file systems must support this functionality - see the manual pages for getfacl and setfacl .

+2
source share

More articles:


All Articles