Suppose your team is working on a project in "/home/share" and your team members need to create documents and programs in /home/share so that others in the team can edit and execute these documents as needed. Also only the members belonging to the team are to have access to the /home/share folder. This can be achieved easily in Linux by a combination of SGIDs and permissions.
But what is an SGID ?An SGID is short form for Set Group ID. It is a sticky bit which is usually applied to directories. When you apply a SGID to a directory, any files that are created in that directory will have the group ownership of the directory itself.
First we create the directory which we want to share with the project team members.# mkdir /home/shareNow create a group called 'share' using the groupadd script.
# /usr/bin/groupadd shareChange the group ownership of the /home/share folder.
# chown -R root.share /home/share
Set the permissions of the share folder to full permissions for users and group and none for others. Note: If you want users not belonging to the group to view the contents of the share folder, then you have to give necessary permissions for others. ie 775.
# chmod 770 /home/share
Set the Group ID bit for the /home/share folder so that any file or directory created in this folder will have the same group ownership.
# chmod g+s /home/share
$ ls -ld /home/share
drwxrws--- 2 root share 4096 May 22 06:06 share
Note the sgid bit 's' in the listing of the share folder above. Now only those users belonging to the 'share' group will have access to the /home/share folder and any file or directory created by any of the users in the /home/share folder will be owned by the 'share' group.
Lastly start adding the team members of the project to the 'share' group.# /usr/bin/gpasswd -a user1 shareAbove I have added 3 users - user1,user2,user3 - to the share group. Now if you want to add another user (say team leader) to the share group and give him special privileges for managing the users in the share group; this is achieved by using the -A switch.
# /usr/bin/gpasswd -a user2 share
# /usr/bin/gpasswd -a user3 share
# /usr/bin/gpasswd -A user4 shareNow check the /etc/group file to see the share group and members belonging to the share.
$ cat /etc/group|grep shareThe user will need to issue a reset before they can get access. As 'root' you can test their account.
...
share:x:502:user1,user2,user3,user4
...
$ su - usernameYou need to '-' to pickup their environment
$ su - user1
4 comments:
wow, i always knew there was a way to do this! goodbye hourly chmod 777 cron jobs!
Great post, I've been looking up how to do this properly for awhile.
sorry, but what does "root.share" in
# chown -R root.share /home/share
mean? I know "root:share", but I have never seen "root.share".
The 'chown' command - change ownership of file or directory, works on user, group and other category of system user:
user: the owner
group: group members given access.
chown user:group will act on the user and the group ownership all in the same command rather than in two separate commands.
Post a Comment