introductioninstalling redhatunix commandsediting filesssh
sitemapapacheftptcp/ipmisc-notesresources

file permissions

Setting up a groups directory with various multiple group editing privilages
This would be usefull if you had a group of people that you wanted to be able to edit files in a directory but didn't want them to be able to edit file in other groups directories. At the same time you have a second group that should have the ability to edit / create any files in the same directory. A practical scenerio would be a publishing project where you have junior editors and want to let the senior editors revise documents created by the junior editors, but didn't want the junior editors to be able to edit the senior editors material. In addition you would also have a directory that all users have read and write access to use as a common sharing point for all users.

Example: I will use 3 groups "junior", "senior" and "allusers" I will create users for each group like "junior1", "junior2" and so on if needed. I will also use a common directory for all groups called "groups". This directory will contain group directories, "junior", "senior", "shared" and "restricted".
"junior" and "senior" are not shared between other groups. Only members of the respective group can change files in these directories.
"shared" directory will allow any group to change or create files for a common sharing point for all groups.
"editorials" directory will allow the "junior" group to create files while giving the "senior" group read and write privilages for administrative purposes. Note: This directory will show all files inside as being owned by the group "junior" regardless of whether the "senior" or "junior" group has created / modified a file.

So here's what you need to do:

Create the groups:
# groupadd junior
# groupadd senior
# groupadd allusers
Syntax of command: groupadd groupname

Create the users for your groups:
# adduser -g junior -G allusers junior1
# adduser -g junior -G allusers junior2
# adduser -g senior -G allusers, junior senior1 and so on.
Syntax of command: adduser -g [primarygroup] -G [secondarygroup if needed] username
Note: creating all users with -g groupname allows users of the same group to share files in the common group folder for the group in question. Adding secondary groups with the -G groupname allows users to share with other groups than the respective users primary group.

Give your users passwords:
# passwd junior1
Press enter on your keyboard, you will be prompted to type a new password for "junior1" and then confirm by typing the password a second time. Repeat this process for all users that you have created.
Note: You may be warned that a password is too short or matches a dictionary word. Being that you are logged in as root, it will let you do whatever you want anyhow. If you are using this for a real project, please use strong passwords for your own good.

Create the directories for your groups to work in:
# mkdir /groups
# cd /groups
# mkdir junior senior shared editorials
Note: you can make multiple directories by putting a space between each.

Modify the directories permissions to match the examples criteria:
# cd /groups
# chmod -R 770 *
Above changes all directories to be read and write for owner and group, no access for others.
# chgrp -R junior junior
# chgrp -R senior senior
# chgrp -R allusers shared
# chgrp -R junior editorials
Above changes the respective directories groups ownership to match the group in question.
Syntax of command: chgrp -R(recursive) [groupname] [directory or filename]
# chmod -R g+s editorials
# chmod -R g+s shared
Note: The chmod -R g+s command is used to make any file created in the editorials directory take on the group that owns the directory. As the senior group has a secondary group of "junior" this will allow the "senior" group to edit files in this directory and mantain "junior" group ownership so that "junior" group members may are not locked out of their own files after a "senior" group editor changes them.

Files that you have modified other than the group folders: /etc/group, /etc/passwd, /etc/shadow. I recommend looking at these files to see how adding users and groups changes them.
# less /etc/group
will show the contents of /etc/group.

Now See how it works: try logging in as a junior group member, you can enter and change files in junior and shared, but are denied access to senior. Log in as a senior group member, you can change files in senior, junior, and shared. when you create a file in junior it retains the group ownership of junior.

Reference material: man pages for chmod, adduser, passwd, chgrp, mkdir, cd
File permissions made easy      File Permissions NHF