[CentOS] Basic Permissions Questions

Wed Jan 26 11:57:12 UTC 2011
Les Bell <lesbell at lesbell.com.au>

Edo <ml2edwin at gmail.com> wrote:

>>
      If user1 writes a file in folder1 will user2 be made the default
      group
      owner, is there a way of enforcing this and with the required
      privileges (r for files, rx for directories?).

Yes. If user1 belongs to the user2 group, that’s how it should [already]
work.
<<

The problem here is the RH "User Private Group" scheme, which means that
user1 is only a member of the group user1 and user2 is only a member of the
group user2. So their group memberships, by default, don't intersect and
user2's only access to user1's files is by virtue of the "other/world"
permissions, which depend upon the umask (but don't give access, by
default).

I've written this up (again, for a course I wrote some years ago, but it's
still mostly relevant) at
http://www.lesbell.com.au/Home.nsf/web/Controlling+Access+to+Files?OpenDocument
 - see the section near the bottom entitled "
Red Hat's User Private Group Philosophy" which explains how it should be
used (the secret is to make the user administrator of their own group with
gpasswd -A). The RH approach, imho, is better than a global group, "users",
as found on other distros, because there's no real difference between
"users" and "world".

One easy way to allow shared access - and this will work over Samba - is to
create a group for the users, e.g. "accounts" and make the various users
members of that group (as a secondary group). Then create a shared
directory for them, chown it to be owned by the group (e.g. chown
me:accounts /home/accounts) and then set the SGID bit on the directory
(chmod 2777 /home/accounts). Now, whenever anybody creates a file in that
directory, it will be owned by that user and the shared group "accounts",
rather than the primary group of the creator. See the section in that
article on "Permissions on directories".

I actually haven't tested that approach with SELinux, but I can't see that
it would interfere.

Best,

--- Les Bell
[http://www.lesbell.com.au]
Tel: +61 2 9451 1144