Thursday, 29 April 2010

Shared Folders in Ubuntu with setgid and ACL

Introduction

There is an often requested feature on Linux (or UNIX) to have the ability to create shared directories similar to what is possible in Windows, that is a directory in which every person who has been given access can read, write or modify files. However, because Linux file systems such as ext4 enforce file permissions that are stricter than any of the windows file systems such as FAT or NTFS, creating such a directory is not obvious. Of course, if you put your shared directory on a FAT or NTFS partition, it will automatically behave just like in Windows but that requires a separate partition and doesn't allow you to enforce permissions on a per-group basis. So here's a quick guide on how to do this with Ubuntu. The same principles apply to other Linux distributions so should be portable.

Use Cases

Let's go through a couple of classic use cases first, to identify exactly what we want to do.

Project Folder

In a company or university setting where users are assigned to project teams or departments, it can be useful to create shared folders where all members of the team can drop files that are useful for the whole team. They need to be able to create, update, delete files, all in the same folder. They also need to be able to read, update or delete files created by other members of the team. However, users external to the team should only have read access.

Web Development

For anybody doing web development on Linux, a classic problem is when you have to deal with development or test web servers. The default web server process runs with the www-data user and the document directory is owned by the same user. It would be great if all web developers on the team were able to update the document directory on the server while not requiring root access to do so.

Linux Default Behaviour

Linux has the concept of user groups. You can check what groups your user belongs to by typing the following on the command line:

$ groups
bruno adm dialout cdrom plugdev lpadmin admin sambashare

On a default Linux installation, groups are used to give access to specific features to different users, such as the ability to administer the system or use the CD-ROM drive. But one of the core feature of user groups is to support file permissions. Each file has separate sets of read, write and execute permissions for the user who is the owner of the file, the group that owns the file and others, that is everybody else. Whenever a user attempts to read, write or execute a file, the system will decide whether he can do it based on the following rules:

  • if the user is the owner of the file, user permissions apply,
  • otherwise, if the user is part of the group that owns the file, group permissions apply,
  • otherwise, others permissions apply.

So to configure a shared directory as defined above, we need to:

  • create a user group for the team,
  • assign all team member users to that user group,
  • create a directory and configure it so that all users in the group can:
    • add new files to the directory,
    • modify any existing file in the directory,
  • and of course, all this should work without users having to do anything special.

How To

Enable ACL

The first thing we need to do is to enable ACL support on the partition where we will create the shared directory. ACL extend the basic Linux permission implementation to enable more fine grained control. As this requires the file system to be able to store more permission meta-data against files, it needs to be configured accordingly. We can do this by adding the acl option to the relevant line in /etc/fstab, such as:

UUID=b8c490d0-0547-4e1f-b052-7130bacfd936 /home ext4 defaults,acl 0 2

The partition then needs to be re-mounted. If the partition to re-mount is /, /usr or /home, you will probably need to restart the machine. Otherwise, the following commands should re-mount the partition:

$ sudo umount partition
$ sudo mount partition

where partition is the mount point of the partition as defined in /etc/fstab, such as /var/www.

Create Group

We then need to create the group to which we will give shared access, let's call that group teamgroup:

$ sudo groupadd teamgroup

Try to give the group a meaningful name while keeping it short. If it's meant to be a team group, give it the name of the team, such as marketing. Note the following restrictions on Debian and Ubuntu for group names (taken from the man page):

It is usually recommended to only use groupnames that begin with a lower case letter or an underscore, followed by lower case letters, digits, underscores, or dashes. They can end with a dollar sign. In regular expression terms: [a-z_][a-z0-9_-]*[$]?

On Debian, the only constraints are that groupnames must neither start with a dash (-) nor contain a colon (:) or a whitespace (space: , end of line: \n, tabulation: \t, etc.).

Groupnames may only be up to 32 characters long.

We then need to assign users to that group:

$ sudo usermod -a -G teamgroup teamuser

Where teamuser is the login name of the user to assign to the group. This assignment will take effect next time the user logs in. Make sure that you do not forget the -a option otherwise you will wipe out all existing group assignment for that user, rather than just adding a new one.

Create the Folder

The next step is to create the shared folder. This is easy:

$ cd /path/to/parent
$ mkdir teamfolder

Where /path/to/parent is the path to the parent folder and teamfolder is the name of the folder you want to create. We then assign group ownership of the folder to the group previously created:

$ chgrp teamgroup teamfolder

And give write access to the group on that folder:

$ chmod g+w teamfolder

Let's check what this folder looks like:

$ ls -l
drwxrwxr-x 2 teamuser teamgroup 4096 2010-03-03 14:32 teamfolder

Now, let's try to create a new file in that directory:

$ touch teamfolder/test1
$ ls -l teamfolder
-rw-r--r--  1 teamuser teamuser 5129 2010-03-03 14:34 test1

That looks good and any other user who is part of teamgroup should be able to create files in this directory. However, group members will not be able to update files created by other members of the group for the following reasons:

  • the group that owns the file is the user's primary group, rather than teamgroup,
  • the file's permissions only allow the owner of the file to update it, not the group.
Set the setgid Bit

We'll solve the first problem by setting the setgid bit on the folder. Setting this permission means that all files created in the folder will inherit the group of the folder rather than the primary group of the user who creates the file.

$ chmod g+s teamfolder
$ ls -l
drwxrwsr-x 2 teamuser teamgroup 4096 2010-03-03 14:32 folder

Note the s in the group permissions instead of the x that was there previously. So now let's try to create another test file.

$ touch teamfolder/test2
$ ls -l teamfolder
-rw-r--r--  1 teamuser teamuser  5129 2010-03-03 14:34 test1
-rw-r--r--  1 teamuser teamgroup 5129 2010-03-03 14:35 test2

So now whenever a file is created in the team directory, it inherits the team's group.

Set Default ACL

The second issue is related to umask, the default mask applied when creating files and directories. By default umask is set to the octal value 0022, as demonstrated if you run the following:

$ umask
0022

This is a negative mask that is applied to the octal permission value of every file or directory created by the user. By default, a file is created with permissions rw-rw-rw-, equivalent to 0666 in octal and a directory is created with permissions rwxrwxrwx, equivalent to 0777 in octal. umask is then subtracted from that default to give the effective permission with which files and directories are created. So for a file, 0666-0022 gives 0644, equivalent to rw-r--r-- and for a directory 0777-0022 gives 0755, equivalent to rwxr-xr-x. This default is sensible for most situations but needs to be overriden for a team directory. The way to do this is to assign specific ACL entries to the team directory. The first thing to do is to install the acl package to obtain the necessary command line tools. Well, in fact, the first thing to do would be to enable acl on the relevant partition but we already did that at the very beginning.

$ sudo apt-get install acl

Now that the package is installed, we have access to the setfacl and getfacl commands. The first one sets ACLs, the second one reads them. In this particular case, we need to set default ACLs on the team folder so that those ACLs are applied to files created inside the directory rather than the directory itself. The syntax is a bit complicated: the -d option specifies that we want to impact the default ACLs, while the -m option specifies that we want to modify the ACLs and expects an ACL specification to follow.

$ setfacl -d -m u::rwx,g::rwx,o::r-x teamfolder
$ touch teamfolder/test3
-rw-r--r--  1 teamuser teamuser  5129 2010-03-03 14:34 test1
-rw-r--r--  1 teamuser teamgroup 5129 2010-03-03 14:35 test2
-rw-rw-r--  1 teamuser teamgroup 5129 2010-03-03 14:36 test3

There we go, it all works as expected: new files created in the team folder are created with the team's group and are group writeable. To finish off, let's have a look at how the folder's ACLs are stored:

$ getfacl teamfolder
# file: teamfolder
# owner: teamuser
# group: teamgroup
user::rwx
group::rwx
other::r-x
default:user:rwx
default:group:rwx
default:other:r-x
Granting and Revoking Access

Granting a user write access to the team folder is now extremely easy: you can just add that user from the team's group when he joins the team:

$ sudo usermod -a -G teamgroup joiner

Where joiner is the user ID of the user joining the team. Revoking access is nearly as easy, you just need to remove the user from the team's group. Unfortunately, there is no way to do this in a simple command so you will have to edit the file /etc/group, find the group and remove the user ID from that group.

Variations

Restrict Delete and Rename to Owner

By default, any user who has write access to a file can delete or rename it. This means that any member of the team can delete or rename any file created by another member. This is generally OK but if it is not, it can also be restricted by setting the sticky bit on the directory:

$ chmod +t teamfolder
$ ls -l
drwxrwsr-t 2 teamuser teamgroup 4096 2010-03-03 14:32

This feature is used on the /tmp directory to ensure that all files created in that directory can only be deleted by their owners.

Restrict Access for Others

Another variation that may be more useful is to completely deny access for users that are not part of the team. it may be that a particular team is working on some sensitive stuff and you don't want anybody outside the team to see it. To do this, we just revoke all permissions and ACLs for others on the team folder:

$ chmod o-rx teamfolder
$ setfacl -d -m o::--- teamfolder

References

50 comments:

Unknown said...

Very helpful, just what I've been looking for, thanks.

Anonymous said...

I've used this method in the past, but I was curious if you have a solution for when a user creates a new file under the shared directory and their local umask removes the group write permissions.

Is there anyway to force the group permission to propagate downward?

Anonymous said...

Bruno,
I have recently done the exact same thing and when the files are created in the directory, everything works great.

However if someone copies a file into the directory, the file still retains it's original permissions. I've done this using either 'cp' inside of gnome-terminal and drag-and-drop inside of Nautilus with the same effect.

Is there a way to have the copied file inherit the correct ACL?

-Andy

Unknown said...

@Andy: yes, I noticed that too. I haven't found a solution yet. If I do, I'll post it.

David said...

No need to reboot to enable a new option on a mount.

After editing fstab, simple run as root:

mount -o remount /mountpoint

Unknown said...

David, does mount -o remount /mountpoint also works on /, /usr or /home? In olden UNIX days, / and /usr couldn't be remounted safely and it was never safe to remount /home when connected as a normal user so I tend to be careful with those.

David said...

I have had no problems running remount on ANY partition; I have remounted / on production servers etc. No issues.

mount -o remount is different to umount && mount.

Unknown said...

Thanks David, I'll keep that advice for the future!

nvick said...

My fix for the file copy on permissions was to make sure the sshd umask was set to 002 also.

Anonymous said...

Thank you so much. I have been trying to find out how to do this for ages. I was almost getting to the stage of returning to the dark side to avoid these permissions problems.

Joe said...

Great article, this is possibly one of the best written articles I have read so far on the setgid and ACL. Thank you.

Flittermice said...

Thanks for writing that before I should get the idea to use a spare NTFS partition :-)

for already existing files type
sudo chown -R youruser:yourgroup *
for setting user and group,

chmod -R g+rwX *
for making everything writable and making (only) the directories executable,

find -type d -exec chmod g+s {} \;
for setting the directories setgid.

nicolas roy said...

That's a real great post !
Thanks a lot.

Anonymous said...

Does removing a user from the group really have the full desired effect? The files that this user created still belong him, so he still can modify and erase them, right?

jhaand said...

Thanks this setup works quite well.
Previously I mounted a local directory as CIFS share. But it creates some troubles at startup. The Samba service must be available during boot.

I now use the method mentioned here and also share the directory as samba share for other computers.

The problem that not all permissions and group-id's are inherited when copying more directories remains present. If this aspect produces any problems, I might use the hourly cron job. It will do a recursive chmod and chgrp on the shared folder every hour.

password shared folder said...

Nice post. I have had no problems running remount on ANY partition

AZHAR said...

Thanks for the information.

ServiceNow Training
Snowflake Training
CyberArk Training
MuleSoft Training

kimberlykeller said...

College exams are not hard anymore! Face even the toughest tests and assignments with Test Bank For Exploring Sociology The Concise Edition Plus New Mysoclab With Pearson Etext Access Card Package right away!

linda parker said...

Gain better scores in every assignment and exam with Solution Manual For Accounting 25th Edition . Be on the top of your class.

VelmaShackles said...

Be a successful student and class topper throught TestBanks 21 assistance. Try our Test Bank For Essentials Of Marketing Research Putting Research Into Practice 1st Edition right away!

kimberlykeller said...

Best discounts, updates and coupons available for A History Of Modern Psychology 10th Edition Test Bank on Test Banks 21 with live chat support.

Portia Williams said...

Exams are easier with the TestBank2022 assistance. Find best selling A History Of Western Art 5th Edition Test Bank and solution manuals and be on the top of your class today.

miker.morriss said...

The best method to approach a study session is through the best learning tools available online. TestBank2022 is one of the best online sellers for testbanks and solution manuals like Test Bank For International Financial Management 7th Edition Stay Ahead with our assistance!

Anonymous said...

Readers are always admiring informational blogs, and this is truly one of them. You did a great job. If you want to enhance writing skills, Sourceessay.com based assignment writer is the best solution for you. Essay rewriter Los Angeles

veera04 said...

Thank You for sharing this awesome and unique content.

ServiceNow Training

SrisLawyers said...

Thanks for sharing the article, its gives useful information. Keep sharing more updates.
Virginia Sex Crimes Lawyer
reckless driving virginia
conducción temeraria de virginia

Sruthi Karan said...

Wonderful blog. I happy to read your post and i have bookmarked. Keep doing...
Spousal Support Calculator
Spousal Support Virginia

Emerging India Group said...

Thanks For Sharing This With Us.
Data science training institute

Michael B Packer said...

swoop cancel flight

shazam said...

Great post and very useful too
virginia bankruptcy means test
bankruotcy lawyer near me

shira said...

Global Assignment Help offers customized solutions,plagiarism-free content, the best expert guidance,on-time delivery,24/7 customer service, and affordable pricing. The assignments are well-crafted with accurate information, well-researched, and well-presented. Moreover, the uniqueness and customized standards enhance the quality of the assignments. Hence, by considering the services of the firm, students can improve their academic scores, and open doors to future success.

Becky said...

Thanks for the informative post. For more learning visit: website Learn more about cloud and cloud computing and explore more opportunities to upskill.

Arthur Wilson said...

Global Assignment Help is an organization that helps students across the world by writing assignments on the subjects like engineering, nursing, accounting, finance, law, and delivering them on-time. The professional writers of the firm are experts in their respective fields. They are well-known for delivering high-quality plagiarism-free assignments by providing correct information about the concepts, and recent technological developments. The afterwork services like editing, and proofreading enhances the quality of the assignments. By taking assistance from the organization, students can ensure high academic grades and success in the future. The 24/7 customer service, and affordable price range makes them one of the best assignment help service providers in the world.

theresafking said...

As a French Londoner, I recently had the opportunity to explore Ubuntu's setgid and ACL feature, which has proven to be incredibly useful in creating shared directories with stricter permissions. This feature has not only enhanced the security of our shared files but also streamlined our collaborative efforts.
At Global Assignment Help UK, where teamwork and collaboration are integral parts of our operations, having a secure and efficient system for sharing files is crucial. With Ubuntu's setgid and ACL features, we have been able to create shared directories that allow multiple users to access and modify files while maintaining strict control over permissions.
The setgid feature ensures that any new files or directories created within the shared directory inherit the group ownership of the parent directory. This means that all users within a specific group can access and work on these files without any hassle. Additionally, by implementing Access Control Lists (ACL), we have been able to define more granular permissions for individual users or groups within the shared directory.
This combination of setgid and ACL features has significantly improved our workflow by providing us with a secure environment where we can collaborate effectively while ensuring that sensitive information remains protected. It has eliminated any concerns about unauthorized access or accidental modifications by limiting user privileges based on their specific roles and responsibilities.
In conclusion, Ubuntu's setgid and ACL feature has proven to be an invaluable tool for us at global assignment help UK in creating shared directories with stricter permissions. It has allowed us to enhance collaboration while maintaining robust security measures. We highly recommend exploring these features for anyone seeking a more efficient and secure file-sharing solution.

casinositeone.JDS said...

Your views are in accordance with my own for the most part.

casinosite777top.JDS said...


This is great content for your readers. Feel free to visit my website;

casinositeguidecom.JDS said...


Your work is very good and I appreciate you and hopping for some more informative posts.

safetotositepro.JDS said...


Thank you for sharing great information to us Feel free to visit my website;

morrisoelliott said...

Fast-track your quick uncontested divorce in virginia with our streamlined legal support. Quick, efficient, and hassle-free proceedings for a smoother resolution.

martin03481 said...

This guide provides a comprehensive guide on setting up shared directories with specific access control in Ubuntu using Access Control Lists (ACLs) and group permissions. It covers scenarios like shared project folders and web development environments, ensuring team members have appropriate access without compromising security. The tutorial covers enabling ACL, creating groups, configuring folder permissions, and managing user access effectively. It also discusses setting the setgid bit, enabling files to inherit the group of the folder, and setting default ACLs. The guide emphasizes the importance of maintenance and monitoring, security, logging and auditing, automating user management, and maintaining backups of critical data. It also suggests exploring additional ACL settings for more specific access control. Finally, it emphasizes the importance of testing and documenting the setup process before deploying shared directories in a production environment. Abogado Lesiones Personales Maryland

morrisoelliott said...

Seek top-notch legal defense in DC with our renowned abogado criminal firma dca. Trust us for expert representation and proven results.

samson said...

Thank You For Sharing This Valuable Information, This is very Nice Article. Digital Marketing Agency for Schools

TravelistaDiaries said...

Thanks for information Get cheap flights from mumbai to chennai

sanju said...

This is very Nice Article. Digital Marketing Agency for Pubs

Fashion said...

Thanks for sharing Buy One Gram Gold Bridal Sets jewelry

Global Assignment Expert said...

Thank you for sharing this informative blog post.
Maths homework help is either loved or hated by kids, but one thing many students and parents share is relief when they find help with tough math homework. My Assignment Help offers the homework aid students seek for tricky math questions. Whether its basic algebra, geometry proofs or calculus, their experts explain concepts simply and highlight strategies that ensure assignments are done correctly and on time. No more stressful nights spent trying to figure out quadratic equations or logarithms - My Assignment Help trained tutors can walk students through any math problem step-by-step, getting them back to the fun parts of their day quickly.

rebecca bethany said...

I read this blog post and it was amazing. Thanks to hotmail login for sharing this masterpiece with me and thanks for suthor who write this in very best manner

Fashionjewellery said...

Thanks for posting valuable information One Gram Gold Pendants

Market Xcel said...

I'm constantly searching on the internet for posts that will help me. Too much is clearly to learn about this. I believe you created good quality items in Functions also. Keep working, congrats!
customer satisfaction survey company

Help Single Mother said...

Your post on setting up shared folders in Ubuntu is incredibly useful and well-detailed! For single moms navigating the tech world, resources like single mom grants by Help Single Mother can be a great help in managing their financial needs while exploring new skills. These grants offer support and can make a real difference, enabling single mothers to focus on personal and professional development. Thank you for sharing this valuable information; it’s great to see such practical advice that can benefit so many.