Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

Share

More

Next Blog

Create Blog

Sign In

Geek Thoughts
Random thoughts and ideas from a French geek in London

T hursday, 29 April 2010

u b U ni sr e dlo Fd e ra h S
Introduction There is an often requested feature on Linux (or UNIX) to have the ability to create shared directories similar to what is possible in Windows, that is a directory in which every person who has been given access can read, write or modify files. However, because Linux file systems such as ext4 enforce file permissions that are stricter than any of the windows file systems such as FAT or NTFS, creating such a directory is not obvious. Of course, if you put your shared directory on a FAT or NTFS partition, it will automatically behave just like in Windows but that requires a separate partition and doesn't allow you to enforce permissions on a per-group basis. So here's a quick guide on how to do this with Ubuntu. The same principles apply to other Linux distributions so should be portable. Use Cases Let's go through a couple of classic use cases first, to identify exactly what we want to do.
Pro ject Fo lder

Fo llo wers
+7 Recommend this on Google

Friends
Suddenly s ingle at 32..... Co o fer Cat I go t 99 pro blems 910 MaYa D o n life Only So mewhat Bo ring

In a company or university setting where users are assigned to project teams or departments, it can be useful to create shared folders where all members of the team can drop files that are useful for the whole team. They need to be able to create, update, delete files, all in the same folder. They also need to be able to read, update or delete files created by other members of the team. However, users external to the team should only have read access.
Web Develo pment

Mo re Abo ut Me
My pho to s o n flic kr My pho to s o n DHD Multimedia Gallery Mus ic I lis ten to Travels

For anybody doing web development on Linux, a classic problem is when you have to deal with development or test web servers. The default web server process runs with the www-data user and the document directory is owned by the same user. It would be great if all web developers on the team were able to update the document directory on the server while not requiring root access to do so. Linux Default Behaviour Linux has the concept of user groups. You can check what groups your user belongs to by typing the following on the command line:
$ groups bruno adm dialout cdrom plugdev lpadmin admin sambashare

Blo g Archive
2013 (3) 2012 (4) 2011 (6) 2010 (25) Dec ember (1) No vember (1) Oc to ber (1) September (5) Augus t (4) July (2) May (2) April (2) Shared Fo lders in Ubuntu with s etgid and ACL Ubuntu Luc id Netbo o k Remix fro m Alternate CD Marc h (3) February (3)
1/7

On a default Linux installation, groups are used to give access to specific features to different users, such as the ability to administer the system or use the CD-ROM drive. But one of the
http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

core feature of user groups is to support file permissions. Each file has separate sets of read, write and execute permissions for the user who is the owner of the file, the group that owns the file and others, that is everybody else. Whenever a user attempts to read, write or execute a file, the system will decide whether he can do it based on the following rules: if the user is the owner of the file, user permissions apply, otherwise, if the user is part of the group that owns the file, group permissions apply, otherwise, others permissions apply. So to configure a shared directory as defined above, we need to: create a user group for the team, assign all team member users to that user group, create a directory and configure it so that all users in the group can: add new files to the directory, modify any existing file in the directory, and of course, all this should work without users having to do anything special. How To
Enable AC L

January (1) 2009 (26) 2008 (31) 2007 (53) 2006 (139) 2005 (168) 2004 (98)

T ags
linux (33) quirky (33) tec hno lo gy (32) rants (24) ubuntu (22) develo pment (15) ho wto (15) pho to graphy (14) tips (14) news (12) web (12) s o ftware (11) travel (11) graphic s (9) frac tals (8) mandelbro t (8) o s -x (8) images (7) julia (7) maths (7) o c tave (7) fo o d (6) mic ro s o ft (6) tho ughts (6) mo bile (5) rec yc ling (5) s ho pping (5) apple (4) c ano n (4) c harity (4) firmware (4) intrepid (4) netwo rks (4) s ho twell (4) windo ws (4) algo rithms (3) apac he (3) bas h (3) databas e (3) des ign (3) diet (3) energy effic ienc y (3) go o gle (3) graph (3) ie (3) jo kes (3) languages (3) mo ntignac (3) no kia (3) petitio ns (3) po litic s (3) tec hniques (3) vo dafo ne (3) 3 (2) Britis h Gas (2) blo gger (2) bro adband (2) bus ines s (2) c o urier (2) dhc p (2) dns (2) drm (2) email (2) erro r (2) euro s tar (2) exifto o l (2) fas hio n (2) frenc h (2) games (2)
2/7

The first thing we need to do is to enable ACL support on the partition where we will create the shared directory. ACL extend the basic Linux permission implementation to enable more fine grained control. As this requires the file system to be able to store more permission meta-data against files, it needs to be configured accordingly. We can do this by adding the acl option to the relevant line in /etc/fstab , such as:
UUID=b8c490d0-0547-4e1f-b052-7130bacfd936 /home ext4 defaults ,a cl 0 2

The partition then needs to be re-mounted. If the partition to remount is / , /usr or /home , you will probably need to restart the machine. Otherwise, the following commands should re-mount the partition:
$ sudo umount partition $ sudo mount partition

where partition is the mount point of the partition as defined in /etc/fstab , such as /var/www .
C reat e Gro up

We then need to create the group to which we will give shared access, let's call that group teamgroup:
$ sudo groupadd teamgroup

Try to give the group a meaningful name while keeping it short. If it's meant to be a team group, give it the name of the team, such as marketing. Note the following restrictions on Debian and Ubuntu for group names (taken from the man page):
It is us ually rec o mmended to o nly us e gro upnames that begin with a lo wer c as e letter o r an unders c o re, fo llo wed by lo wer c as e letters , digits , unders c o res , o r das hes . They c an end with a do llar s ign. In regular expres s io n terms : [a-z _][a-z 0-9_-]*[$]? On Debian, the o nly c o ns traints are that gro upnames mus t neither s tart with a das h (-) no r c o ntain a c o lo n (:) o r a whites pac e

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

(s pac e: , end o f line: \n, tabulatio n: \t, etc .). Gro upnames may o nly be up to 32 c harac ters lo ng.

We then need to assign users to that group:

$ sudo usermod -a -G teamgroup teamuser

Where teamuser is the login name of the user to assign to the group. This assignment will take effect next time the user logs in. Make sure that you do not forget the -a option otherwise you will wipe out all existing group assignment for that user, rather than just adding a new one.
C reat e t he Fo lder

The next step is to create the shared folder. This is easy:

$ cd /path/to/parent $ mkdir teamfolder

Where /path/to/parent is the path to the parent folder and teamfolder is the name of the folder you want to create. We then assign group ownership of the folder to the group previously created:
$ chgrp teamgroup teamfolder

And give write access to the group on that folder:

$ chmod g+w teamfolder

Let's check what this folder looks like:

$ ls -l drwxrwxr-x 2 teamuser teamgroup 4096 2010-03-03 14:32 teamfolde r

Now, let's try to create a new file in that directory:

$ touch teamfolder/test1 $ ls -l teamfolder -rw-r--r-1 teamuser teamuser 5129 2010-03-03 14:34 test1

That looks good and any other user who is part of teamgroup should be able to create files in this directory. However, group members will not be able to update files created by other members of the group for the following reasons: the group that owns the file is the user's primary group, rather than teamgroup, the file's permissions only allow the owner of the file to update it, not the group.
S et t he setgid Bit

We'll solve the first problem by setting the setgid bit on the folder. Setting this permission means that all files created in the folder will inherit the group of the folder rather than the primary group of the user who creates the file.
$ chmod g+s teamfolder $ ls -l drwxrw s r-x 2 teamuser teamgroup 4096 2010-03-03 14:32 folder

Note the s in the group permissions instead of the x that was there previously. So now let's try to create another test file.
$ touch teamfolder/test2 $ ls -l teamfolder

games (2) gas (2) hardware (2) html (2) imagemagic k (2) latex (2) law (2) luc id (2) maps (2) maveric k (2) meter (2) mus ic (2) o pen s o urc e (2) peru (2) php (2) privac y (2) pytho n (2) s ec urity (2) s kype (2) s o und (2) s pam (2) s ubvers io n (2) s uppo rt (2) s vg (2) vala (2) vegetarian (2) wi-fi (2) wireles s (2) wo rkplac e (2) Natio nal Grid (1) Siemens (1) ac c es s ibility (1) ac l (1) ac tivis m (1) alternate (1) as s es s ment (1) as us (1) banking (1) bayers (1) beer (1) blo g (1) bo o ks (1) bs i (1) bugs (1) c alibre (1) c ern (1) c hange (1) c limate (1) c o lo ur (1) c o o kie (1) c s s (1) dbus (1) do c ument (1) ebo o k (1) eee (1) exc el (1) fairtrade (1) fanc yhdr (1) firefo x (1) fo o ter (1) framewo rks (1) friends (1) furniture (1) gears (1) geektho ughts (1) github (1) gmail (1) gno me (1) gnuplo t (1) go vernment (1) green deal (1) guadec (1) guts y (1) hac kday (1) hardy (1) hlc (1) ho us ing (1) ifthen (1) infra-red (1) ins tallatio n (1) interfac e (1) jaunty (1)

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

3/7

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

$ ls -l teamfolder -rw-r--r--rw-r--r-1 teamuser teamuser 5129 2010-03-03 14:34 test1 1 teamuser teamgroup 5129 2010-03-03 14:35 test2

So now whenever a file is created in the team directory, it inherits the team's group.
S et Def ault AC L

The second issue is related to umask , the default mask applied when creating files and directories. By default umask is set to the octal value 0022, as demonstrated if you run the following:
$ umask 0022

This is a negative mask that is applied to the octal permission value of every file or directory created by the user. By default, a file is created with permissions rw-rw-rw- , equivalent to 0666 in octal and a directory is created with permissions rwxrwxrwx , equivalent to 0777 in octal. umask is then subtracted from that default to give the effective permission with which files and directories are created. So for a file, 0666-0022 gives 0644, equivalent to rw-r--r-- and for a directory 0777-0022 gives 0755, equivalent to rwxr-xr-x . This default is sensible for most situations but needs to be overriden for a team directory. The way to do this is to assign specific ACL entries to the team directory. The first thing to do is to install the acl package to obtain the necessary command line tools. Well, in fact, the first thing to do would be to enable acl on the relevant partition but we already did that at the very beginning.
$ sudo apt-get install acl

Now that the package is installed, we have access to the setfacl and getfacl commands. The first one sets ACLs, the second one reads them. In this particular case, we need to set default ACLs on the team folder so that those ACLs are applied to files created inside the directory rather than the directory itself. The syntax is a bit complicated: the -d option specifies that we want to impact the default ACLs, while the -m option specifies that we want to modify the ACLs and expects an ACL specification to follow.
$ setfacl -d -m u::rwx,g::rwx,o::r-x teamfolder $ touch teamfolder/test3 -rw-r--r--rw-r--r--rw-r w -r-1 teamuser teamuser 5129 2010-03-03 14:34 test1 1 teamuser teamgroup 5129 2010-03-03 14:35 test2 1 teamuser teamgroup 5129 2010-03-03 14:36 test3

java (1) junit (1) kml (1) lapto p (1) las tpage (1) leo pard (1) letter (1) libreo ffic e (1) linkedin (1) links (1) lo c al (1) maemo (1) management (1) medibuntu (1) minutiae (1) mo vies (1) n900 (1) netbo o k (1) o penerp (1) o peno ffic e (1) o utlo o k (1) patents (1) phis hing (1) pho to s ho p (1) plas tic (1) prais e (1) puls eaudio (1) pygraph (1) rules (1) s c ienc e (1) s c ripting (1) s earc h (1) s o ny (1) s pac e (1) s po rts (1) s s h (1) s tandard (1) tennis (1) tes ting (1) train (1) typo graphy (1) unix (1) upgrade (1) us a (1) us ability (1) virus es (1) webc am (1) webdav (1) wikipedia (1) xmas (1) z end (1)

There we go, it all works as expected: new files created in the team folder are created with the team's group and are group writeable. To finish off, let's have a look at how the folder's ACLs are stored:
$ getfacl teamfolder # file: teamfolder # owner: teamuser # group: teamgroup user::rwx group::rwx other::r-x default:user:rwx default:group:rwx default:other:r-x Grant ing and Revo king Access

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

4/7

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

Granting a user write access to the team folder is now extremely easy: you can just add that user from the team's group when he joins the team:
$ sudo usermod -a -G teamgroup joiner

Where joiner is the user ID of the user joining the team. Revoking access is nearly as easy, you just need to remove the user from the team's group. Unfortunately, there is no way to do this in a simple command so you will have to edit the file /etc/group , find the group and remove the user ID from that group. Variations
Rest rict Delet e and Rename t o Owner

By default, any user who has write access to a file can delete or rename it. This means that any member of the team can delete or rename any file created by another member. This is generally OK but if it is not, it can also be restricted by setting the sticky bit on the directory:
$ chmod +t teamfolder $ ls -l drwxrwsr- t 2 teamuser teamgroup 4096 2010-03-03 14:32

This feature is used on the /tmp directory to ensure that all files created in that directory can only be deleted by their owners.
Rest rict Access f o r Ot hers

Another variation that may be more useful is to completely deny access for users that are not part of the team. it may be that a particular team is working on some sensitive stuff and you don't want anybody outside the team to see it. To do this, we just revoke all permissions and ACLs for others on the team folder:
$ chmod o-rx teamfolder $ setfacl -d -m o::--- teamfolder

References Howto: Linux Add User To Group Using ACLs with Fedora Core 2 setuid (and setgid ) on Wikipedia Sticky bit on Wikipedia
Po s ted by Bruno Girin at 14:17

Labels : ac l, ho wto , linux, ubuntu

16 co mments:
Ric k s aid... Very helpful, jus t what I've been lo o king fo r, thanks . 06 June, 2010 23:27 Ano nymo us s aid... I've us ed this metho d in the pas t, but I was c urio us if yo u have a s o lutio n fo r when a us er c reates a new file under the s hared direc to ry and their lo c al umas k remo ves the gro up write permis s io ns .

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

5/7

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

Is there anyway to fo rc e the gro up permis s io n to pro pagate do wnward? 24 June, 2010 15:16 Ano nymo us s aid... Bruno , I have rec ently do ne the exac t s ame thing and when the files are c reated in the direc to ry, everything wo rks great. Ho wever if s o meo ne c o pies a file into the direc to ry, the file s till retains it's o riginal permis s io ns . I've do ne this us ing either 'c p' ins ide o f gno me-terminal and drag-and-dro p ins ide o f Nautilus with the s ame effec t. Is there a way to have the c o pied file inherit the c o rrec t ACL? -Andy 25 Oc to ber, 2010 14:11 Bruno s aid... @Andy: yes , I no tic ed that to o . I haven't fo und a s o lutio n yet. If I do , I'll po s t it. 25 Oc to ber, 2010 20:35 David s aid... No need to rebo o t to enable a new o ptio n o n a mo unt. After editing fs tab, s imple run as ro o t: mo unt -o remo unt /mo untpo int 25 January, 2011 06:56 Bruno s aid... David, do es mo unt -o remo unt /mo untpo int als o wo rks o n /, /us r o r /ho me? In o lden UNIX days , / and /us r c o uldn't be remo unted s afely and it was never s afe to remo unt /ho me when c o nnec ted as a no rmal us er s o I tend to be c areful with tho s e. 25 January, 2011 20:34 David s aid... I have had no pro blems running remo unt o n ANY partitio n; I have remo unted / o n pro duc tio n s ervers etc . No is s ues . mo unt -o remo unt is different to umo unt && mo unt. 26 January, 2011 23:25 Bruno s aid... Thanks David, I'll keep that advic e fo r the future! 28 January, 2011 00:48 nvic k s aid... My fix fo r the file c o py o n permis s io ns was to make s ure the s s hd umas k was s et to 002 als o . 10 February, 2011 19:25 Ano nymo us s aid... Thank yo u s o muc h. I have been trying to find o ut ho w to do this fo r ages . I was almo s t getting to the s tage o f returning to the dark s ide to avo id thes e permis s io ns pro blems . 02 July, 2011 18:58 Jo e s aid... Great artic le, this is po s s ibly o ne o f the bes t written artic les I have read s o far o n the s etgid and ACL. Thank yo u. 23 September, 2011 00:07 Flittermic e s aid... Thanks fo r writing that befo re I s ho uld get the idea to us e a

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

6/7

Geek Thoughts: Shared Folders in Ubuntu with setgid and ACL

26/03/13

s pare NTFS partitio n :-) fo r already exis ting files type sudo chown -R youruser:yourgroup * fo r s etting us er and gro up, chmod -R g+rwX * fo r making everything writable and making (o nly) the direc to ries exec utable, find -type d -exec chmod g+s {} \; fo r s etting the direc to ries s etgid. 12 Oc to ber, 2011 19:39 nic o las ro y s aid... That's a real great po s t ! Thanks a lo t. 21 Oc to ber, 2011 11:53 Ano nymo us s aid... Do es remo ving a us er fro m the gro up really have the full des ired effec t? The files that this us er c reated s till belo ng him, s o he s till c an mo dify and eras e them, right? 03 No vember, 2011 18:32 jhaand s aid... Thanks this s etup wo rks quite well. Previo us ly I mo unted a lo c al direc to ry as CIFS s hare. But it c reates s o me tro ubles at s tartup. The Samba s ervic e mus t be available during bo o t. I no w us e the metho d mentio ned here and als o s hare the direc to ry as s amba s hare fo r o ther c o mputers . The pro blem that no t all permis s io ns and gro up-id's are inherited when c o pying mo re direc to ries remains pres ent. If this as pec t pro duc es any pro blems , I might us e the ho urly c ro n jo b. It will do a rec urs ive c hmo d and c hgrp o n the s hared fo lder every ho ur. 21 July, 2012 17:26 pas s wo rd s hared fo lder s aid... Nic e po s t. I have had no pro blems running remo unt o n ANY partitio n 12 September, 2012 10:50 Po s t a Co mment

Newer Post

Home

Older Post

Subscribe to: Post Comments (Atom)

http://brunogirin.blogspot.de/2010/03/shared-folders-in-ubuntu-with-setgid.html

7/7