Thursday, 29 April 2010

Shared Folders in Ubuntu with setgid and ACL


There is an often requested feature on Linux (or UNIX) to have the ability to create shared directories similar to what is possible in Windows, that is a directory in which every person who has been given access can read, write or modify files. However, because Linux file systems such as ext4 enforce file permissions that are stricter than any of the windows file systems such as FAT or NTFS, creating such a directory is not obvious. Of course, if you put your shared directory on a FAT or NTFS partition, it will automatically behave just like in Windows but that requires a separate partition and doesn't allow you to enforce permissions on a per-group basis. So here's a quick guide on how to do this with Ubuntu. The same principles apply to other Linux distributions so should be portable.

Use Cases

Let's go through a couple of classic use cases first, to identify exactly what we want to do.

Project Folder

In a company or university setting where users are assigned to project teams or departments, it can be useful to create shared folders where all members of the team can drop files that are useful for the whole team. They need to be able to create, update, delete files, all in the same folder. They also need to be able to read, update or delete files created by other members of the team. However, users external to the team should only have read access.

Web Development

For anybody doing web development on Linux, a classic problem is when you have to deal with development or test web servers. The default web server process runs with the www-data user and the document directory is owned by the same user. It would be great if all web developers on the team were able to update the document directory on the server while not requiring root access to do so.

Linux Default Behaviour

Linux has the concept of user groups. You can check what groups your user belongs to by typing the following on the command line:

$ groups
bruno adm dialout cdrom plugdev lpadmin admin sambashare

On a default Linux installation, groups are used to give access to specific features to different users, such as the ability to administer the system or use the CD-ROM drive. But one of the core feature of user groups is to support file permissions. Each file has separate sets of read, write and execute permissions for the user who is the owner of the file, the group that owns the file and others, that is everybody else. Whenever a user attempts to read, write or execute a file, the system will decide whether he can do it based on the following rules:

  • if the user is the owner of the file, user permissions apply,
  • otherwise, if the user is part of the group that owns the file, group permissions apply,
  • otherwise, others permissions apply.

So to configure a shared directory as defined above, we need to:

  • create a user group for the team,
  • assign all team member users to that user group,
  • create a directory and configure it so that all users in the group can:
    • add new files to the directory,
    • modify any existing file in the directory,
  • and of course, all this should work without users having to do anything special.

How To

Enable ACL

The first thing we need to do is to enable ACL support on the partition where we will create the shared directory. ACL extend the basic Linux permission implementation to enable more fine grained control. As this requires the file system to be able to store more permission meta-data against files, it needs to be configured accordingly. We can do this by adding the acl option to the relevant line in /etc/fstab, such as:

UUID=b8c490d0-0547-4e1f-b052-7130bacfd936 /home ext4 defaults,acl 0 2

The partition then needs to be re-mounted. If the partition to re-mount is /, /usr or /home, you will probably need to restart the machine. Otherwise, the following commands should re-mount the partition:

$ sudo umount partition
$ sudo mount partition

where partition is the mount point of the partition as defined in /etc/fstab, such as /var/www.

Create Group

We then need to create the group to which we will give shared access, let's call that group teamgroup:

$ sudo groupadd teamgroup

Try to give the group a meaningful name while keeping it short. If it's meant to be a team group, give it the name of the team, such as marketing. Note the following restrictions on Debian and Ubuntu for group names (taken from the man page):

It is usually recommended to only use groupnames that begin with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]?

On Debian, the only constraints are that groupnames must neither start with a dash (-) nor contain a colon (:) or a whitespace (space: , end of line: \n, tabulation: \t, etc.).

Groupnames may only be up to 32 characters long.

We then need to assign users to that group:

$ sudo usermod -a -G teamgroup teamuser

Where teamuser is the login name of the user to assign to the group. This assignment will take effect next time the user logs in. Make sure that you do not forget the -a option otherwise you will wipe out all existing group assignment for that user, rather than just adding a new one.

Create the Folder

The next step is to create the shared folder. This is easy:

$ cd /path/to/parent
$ mkdir teamfolder

Where /path/to/parent is the path to the parent folder and teamfolder is the name of the folder you want to create. We then assign group ownership of the folder to the group previously created:

$ chgrp teamgroup teamfolder

And give write access to the group on that folder:

$ chmod g+w teamfolder

Let's check what this folder looks like:

$ ls -l
drwxrwxr-x 2 teamuser teamgroup 4096 2010-03-03 14:32 teamfolder

Now, let's try to create a new file in that directory:

$ touch teamfolder/test1
$ ls -l teamfolder
-rw-r--r--  1 teamuser teamuser 5129 2010-03-03 14:34 test1

That looks good and any other user who is part of teamgroup should be able to create files in this directory. However, group members will not be able to update files created by other members of the group for the following reasons:

  • the group that owns the file is the user's primary group, rather than teamgroup,
  • the file's permissions only allow the owner of the file to update it, not the group.
Set the setgid Bit

We'll solve the first problem by setting the setgid bit on the folder. Setting this permission means that all files created in the folder will inherit the group of the folder rather than the primary group of the user who creates the file.

$ chmod g+s teamfolder
$ ls -l
drwxrwsr-x 2 teamuser teamgroup 4096 2010-03-03 14:32 folder

Note the s in the group permissions instead of the x that was there previously. So now let's try to create another test file.

$ touch teamfolder/test2
$ ls -l teamfolder
-rw-r--r--  1 teamuser teamuser  5129 2010-03-03 14:34 test1
-rw-r--r--  1 teamuser teamgroup 5129 2010-03-03 14:35 test2

So now whenever a file is created in the team directory, it inherits the team's group.

Set Default ACL

The second issue is related to umask, the default mask applied when creating files and directories. By default umask is set to the octal value 0022, as demonstrated if you run the following:

$ umask

This is a negative mask that is applied to the octal permission value of every file or directory created by the user. By default, a file is created with permissions rw-rw-rw-, equivalent to 0666 in octal and a directory is created with permissions rwxrwxrwx, equivalent to 0777 in octal. umask is then subtracted from that default to give the effective permission with which files and directories are created. So for a file, 0666-0022 gives 0644, equivalent to rw-r--r-- and for a directory 0777-0022 gives 0755, equivalent to rwxr-xr-x. This default is sensible for most situations but needs to be overriden for a team directory. The way to do this is to assign specific ACL entries to the team directory. The first thing to do is to install the acl package to obtain the necessary command line tools. Well, in fact, the first thing to do would be to enable acl on the relevant partition but we already did that at the very beginning.

$ sudo apt-get install acl

Now that the package is installed, we have access to the setfacl and getfacl commands. The first one sets ACLs, the second one reads them. In this particular case, we need to set default ACLs on the team folder so that those ACLs are applied to files created inside the directory rather than the directory itself. The syntax is a bit complicated: the -d option specifies that we want to impact the default ACLs, while the -m option specifies that we want to modify the ACLs and expects an ACL specification to follow.

$ setfacl -d -m u::rwx,g::rwx,o::r-x teamfolder
$ touch teamfolder/test3
-rw-r--r--  1 teamuser teamuser  5129 2010-03-03 14:34 test1
-rw-r--r--  1 teamuser teamgroup 5129 2010-03-03 14:35 test2
-rw-rw-r--  1 teamuser teamgroup 5129 2010-03-03 14:36 test3

There we go, it all works as expected: new files created in the team folder are created with the team's group and are group writeable. To finish off, let's have a look at how the folder's ACLs are stored:

$ getfacl teamfolder
# file: teamfolder
# owner: teamuser
# group: teamgroup
Granting and Revoking Access

Granting a user write access to the team folder is now extremely easy: you can just add that user from the team's group when he joins the team:

$ sudo usermod -a -G teamgroup joiner

Where joiner is the user ID of the user joining the team. Revoking access is nearly as easy, you just need to remove the user from the team's group. Unfortunately, there is no way to do this in a simple command so you will have to edit the file /etc/group, find the group and remove the user ID from that group.


Restrict Delete and Rename to Owner

By default, any user who has write access to a file can delete or rename it. This means that any member of the team can delete or rename any file created by another member. This is generally OK but if it is not, it can also be restricted by setting the sticky bit on the directory:

$ chmod +t teamfolder
$ ls -l
drwxrwsr-t 2 teamuser teamgroup 4096 2010-03-03 14:32

This feature is used on the /tmp directory to ensure that all files created in that directory can only be deleted by their owners.

Restrict Access for Others

Another variation that may be more useful is to completely deny access for users that are not part of the team. it may be that a particular team is working on some sensitive stuff and you don't want anybody outside the team to see it. To do this, we just revoke all permissions and ACLs for others on the team folder:

$ chmod o-rx teamfolder
$ setfacl -d -m o::--- teamfolder



Unknown said...

Very helpful, just what I've been looking for, thanks.

Anonymous said...

I've used this method in the past, but I was curious if you have a solution for when a user creates a new file under the shared directory and their local umask removes the group write permissions.

Is there anyway to force the group permission to propagate downward?

Anonymous said...

I have recently done the exact same thing and when the files are created in the directory, everything works great.

However if someone copies a file into the directory, the file still retains it's original permissions. I've done this using either 'cp' inside of gnome-terminal and drag-and-drop inside of Nautilus with the same effect.

Is there a way to have the copied file inherit the correct ACL?


Unknown said...

@Andy: yes, I noticed that too. I haven't found a solution yet. If I do, I'll post it.

David said...

No need to reboot to enable a new option on a mount.

After editing fstab, simple run as root:

mount -o remount /mountpoint

Unknown said...

David, does mount -o remount /mountpoint also works on /, /usr or /home? In olden UNIX days, / and /usr couldn't be remounted safely and it was never safe to remount /home when connected as a normal user so I tend to be careful with those.

David said...

I have had no problems running remount on ANY partition; I have remounted / on production servers etc. No issues.

mount -o remount is different to umount && mount.

Unknown said...

Thanks David, I'll keep that advice for the future!

nvick said...

My fix for the file copy on permissions was to make sure the sshd umask was set to 002 also.

Anonymous said...

Thank you so much. I have been trying to find out how to do this for ages. I was almost getting to the stage of returning to the dark side to avoid these permissions problems.

Joe said...

Great article, this is possibly one of the best written articles I have read so far on the setgid and ACL. Thank you.

Flittermice said...

Thanks for writing that before I should get the idea to use a spare NTFS partition :-)

for already existing files type
sudo chown -R youruser:yourgroup *
for setting user and group,

chmod -R g+rwX *
for making everything writable and making (only) the directories executable,

find -type d -exec chmod g+s {} \;
for setting the directories setgid.

nicolas roy said...

That's a real great post !
Thanks a lot.

Anonymous said...

Does removing a user from the group really have the full desired effect? The files that this user created still belong him, so he still can modify and erase them, right?

jhaand said...

Thanks this setup works quite well.
Previously I mounted a local directory as CIFS share. But it creates some troubles at startup. The Samba service must be available during boot.

I now use the method mentioned here and also share the directory as samba share for other computers.

The problem that not all permissions and group-id's are inherited when copying more directories remains present. If this aspect produces any problems, I might use the hourly cron job. It will do a recursive chmod and chgrp on the shared folder every hour.

password shared folder said...

Nice post. I have had no problems running remount on ANY partition

pega said...

Thank you for sharing the valuable information.
servicenow training
servicenow certification

AZHAR said...

Thanks for the information.

ServiceNow Training
Snowflake Training
CyberArk Training
MuleSoft Training

Assignment Writing Help said...

We are a top rated University of Derby Assignment Help Online service here with experts specializing in a wide range of disciplines ensuring you get the assignments that score maximum grades.

parkerkenneth said...

Gain better scores in every assignment and exam with Test Bank For Nursing Today Transition And Trends 8e Nursing Today Transition Trends Zerwekh 8th Edition. Be on the top of your class.

linda parker said...

Updated version of Solution Manual For C Programming From Problem Analysis To Program Design 7th Edition available for instant download. Avail great discounts and offers now.

cloudbeginners said...

lab furniture manufacturer

kimberlykeller said...

College exams are not hard anymore! Face even the toughest tests and assignments with Test Bank For Exploring Sociology The Concise Edition Plus New Mysoclab With Pearson Etext Access Card Package right away!

linda parker said...

Gain better scores in every assignment and exam with Solution Manual For Accounting 25th Edition . Be on the top of your class.

linda parker said...

Getting Test Bank For Human Evolution And Culture Highlights Of Anthropology 8th Edition Instant Download is easier than ever with our exclusive collection of testbanks and solution manuals online.

kimberlykeller said...

Information on web is always fascinating. Let me point you to this page with more interesting stuff!

Portia Williams said...

Hey great article.. find this excellent page, one of the most interesting info online.

aaryan said...

oracle cloud integration training
openshift certification
azure data engineer certification
aws solution architect training
azure solution architect certification

Assignment Answers Online said...

We are a top rated assignment answers online Online service here with experts specializing in a wide range of disciplines ensuring you get the assignments that score maximum grades.

VelmaShackles said...

Be a successful student and class topper throught TestBanks 21 assistance. Try our Test Bank For Essentials Of Marketing Research Putting Research Into Practice 1st Edition right away!

kimberlykeller said...

Best discounts, updates and coupons available for A History Of Modern Psychology 10th Edition Test Bank on Test Banks 21 with live chat support.

Portia Williams said...

Exams are easier with the TestBank2022 assistance. Find best selling A History Of Western Art 5th Edition Test Bank and solution manuals and be on the top of your class today.

miker.morriss said...

The best method to approach a study session is through the best learning tools available online. TestBank2022 is one of the best online sellers for testbanks and solution manuals like Test Bank For International Financial Management 7th Edition Stay Ahead with our assistance!

Unknown said...

Readers are always admiring informational blogs, and this is truly one of them. You did a great job. If you want to enhance writing skills, based assignment writer is the best solution for you. Essay rewriter Los Angeles

robin.smithsters said...

Get top quality test banks and solution guides only from Test Banks 21 and score perfect accross your college assignments and exams.

Glenda Davis said...

Finding quality learning aids is most essential for gaining your dream grades in college. TestBanks21 offers Test Banks & Solution Manuals at the lowest prices online to satisfy this need.

bes unn said...

Hey friend, it is very well written article, thank you for the valuable and useful information you provide in this post. Keep up the good work! FYI, please check these depression, stress and anxiety related articles.

Can you pay for Lowes credit card online?, Don't Lose Your Mind Lose Your Weight Book Pdf, Advantages and Disadvantages of Mobile Phones Essay, best dog shampoo for shih tzu

Lakshman said...

Here is the best Azure DevOps Training in Chennai from Infycle Technologies, best software training in chennai. And we issue other technical courses like Power BI, Cyber Security, Graphic Design and Animation, Block Security, Java, Oracle, Python, Big data, Azure, Python, Manual and Automation Testing, DevOps, Medical Coding etc., and we also give best technical trainers with excellent training 100+ Live Practical Sessions with Real-Time scenarios at the resolution period of the course the freshers, experienced, and Tech professionals will be able to obtain more knowledge of the course and be able to get through the interviews on top MNC’s with an amazing package. for more queries approach us on 7504633633, 7502633633.

Max Turner said...

Visit | ij.start canon and find out the best way to download Canon printer drivers.Canon printers are ideal for every situation wherever you need a document, paper, or photo print or even if you wish to scan, fax, and do more.

Once you are done with the driver setup via , you will have to insert a pile of pages into the printer tray for printing the documents. But it is important to know how to correctly load the pages into the tray for avoiding all the printing errors.

Unknown said...

Ij start canon and find out the best way to download Canon printer drivers.
Ij.start.cannon | |

AndrewsKim said...

Statistics Solutions based on your textbook is the smartest way to handle your homework, projects, assignments and exam preparation. Checkout the ScholarOn collection to be on the top of your class.

Diane Parker said...

Chemistry Solutions based on your textbook is the smartest way to handle your homework, projects, assignments and exam preparation. Checkout the ScholarOn collection to be on the top of your class.

Unknown said...

Follow and it is the online portal that allows you to set up your Cricut machine. A most advanced Cricut machine is best in cutting shapes, text, and photos. It doesn’t only make cuts on card stock or vinyl but adhesive foil, faux leather, balsa wood, and more. So how do you start your circuit machine? You have to download Cricut setup from cricut.come/setup then connect your machine and software to get started.