File Permissions Trouble

[choucove]

Greetings all.

I am relatively new to Linux, but have been working with Fedora 7/8 for the last year or so. I am currently trying to set up a basic file server running x86 64 version of Fedora 8 and have everything installed and operating correctly. However, I am having trouble getting the user permissions to work how I am needing.

For example, I have four users, Bruce, Leon, Terry, and Kristie. There are also two groups, Art and Accounting. Since the user Bruce would be the "admin" account he belongs to both the Art and Accounting group. Leonand Terry belongs only to the Art group and Kristie belongs only to the Accounting group.

On the server there will be a folder called Shared, and inside this folder are the two real file storage folders called Artwork and Accounting. The owner of both of these folders is Bruce. Of course, the Art group will have read/write/execute permissions only to the Artwork folder, and the Accounting group will have read/write/execute permissions only to the Accounting folder.

Now here is where the trouble begins. If you were to log in as Terry (of the Art group) and create a new file inside the Artwork folder, but then try and log in as Leon (of the Art group) and try and edit the files created by Terry, then Leon does not have permissions to modify or remove any files created by Terry (or any other user.) This is the biggest problem, as our file server will require that all the artwork people will be able to create, edit, and delete each others files as needed. I've been searching around all weekend for a solution to this. It will not be possible to go in and edit the sharing permissions of every single file and folder created, as it would keep a person busy all day just going and editing share permissions!

In a way, what I am trying to find out is if there is a way to set it so all members of the same group can have all read/write/execute permissions for each others files. Almost like setting the saving standards so that if Terry saves a file, it's owner is actually the group Art instead of the individual user, so all users of that group can edit and modify it as needed.

I'm really quite lost, and any help would be incredibly appreciated! Thank you so very much for your time and help!

[acutchin]

Choucove,

Each system user (like Leon or Terry) has a default group. Generally, when you create a user, a new group is created with the same name as the user, and that group is set as the default group for the new user.

[root@eagle ~]# useradd leon
[root@eagle ~]# grep leon /etc/group
leon:x:503:
[root@eagle ~]# grep leon /etc/passwd
leon:x:503:503::/home/leon:/bin/bash
[root@eagle ~]# su - leon
[leon@eagle ~]$ id
uid=503(leon) gid=503(leon) groups=503(leon)

Any file they create will have a default, initial group ownership of their default group. So if you created Leon with the standard "useradd" command, and didn't specifically set his default group to "Art" or something else, he probably has a default group of "leon". Any file leon creates is owned by leon:leon.

[root@eagle ~]# su - leon
[leon@eagle ~]$ touch moo
[leon@eagle ~]$ ls -l moo
-rw-rw-r-- 1 leon leon 0 Mar 3 11:30 moo

So first of all, make sure leon and terry's default groups are set to "art". You can do this by editing the /etc/passwd file with the "vipw" command. (Be careful!)

(after using groupadd and vipw):
[root@eagle ~]# grep art /etc/group
art:x:504:
[root@eagle ~]# grep leon /etc/passwd
leon:x:503:504::/home/leon:/bin/bash
[root@eagle ~]# su - leon
[leon@eagle ~]$ id
uid=503(leon) gid=504(art) groups=504(art)
[leon@eagle ~]$ touch zoo
[leon@eagle ~]$ ls -l zoo
-rw-rw-r-- 1 leon art 0 Mar 3 11:26 zoo

SECONDLY, there is also a concept in Unix called the "umask". The umask is a user-specific set of permission values that are SUBTRACTED from the system-wide default file creation permissions and applied to a file when it is created. The system default permissions for a text file is 666. Observe:

[leon@eagle ~]$ umask
0002
[leon@eagle ~]$ touch foo
[leon@eagle ~]$ ls -l foo
-rw-rw-r-- 1 leon art 0 Mar 3 11:27 foo

You see, 0002 is subtracted from 0666 and you get 0664 as the file's default, initial permissions. A user can set their own umask by the umask command. It may also be set in their .bashrc or .bash_profile.

[leon@eagle ~]$ umask 0066
[leon@eagle ~]$ umask
0066
[leon@eagle ~]$ touch boo
[leon@eagle ~]$ ls -l boo
-rw------- 1 leon art 0 Mar 3 11:28 boo

By changing my umask, I can create files that are by default not visible to my group!

Check your user's default groups and umasks.


-- Aaron

[choucove]

Thanks for your fast reply!

When I set up the users this time, I used the GUI interface in Fedora, and specifically set that an individual group would not be created for each user, except Bruce, which would be used as a sort of "admin" group perhaps. Instead, each individual user account was created, and then the two groups were created and users added to those groups.

One of the first things I read up to use was the setgid or SGID to set the group accesses on all files in the folder automatically, but it ended up that this was not doing the job I needed, as still each new file created had the ownership of that individual user and could not be written to by other users of the same group.

Next I tried a little with the umask function but I just could not find enough resources on how to set it up properly.

When I typed the command umask just to view the default umask level I recieve 0022. I actually want to set this to 002 I believe. So I type in umask 002. However, any time you log out or log back in as any user it removes this setting and it goes back to 0022. So I tried to follow directions from somewhere that stated you had to put it into your /etc/profile file adding the umask 0002 command at the bottom. I did so, but still it did nothing. I also read other places that you instead need to edit the .backrc file, or the samba.conf file, or etc. etc. the list goes on.

I guess where I am confused is exactly where do I need to put the umask 0002 default setting so it loads automatically each and every time you log in as any user. And just wanting to be sure that I have the right umask value so that members of the same group have all read/write/execute permissions for all files anyone in that group creates by default, but others of the group have no access.

Again thank you so much for your help and fast response!

[acutchin]

umask 022 would make a users' files group-un-writable.

My CentOs system, which is redhat-based like Fedora sets the umask for users with UID<100 to 022, and 002 for UID>100. This is apparently for security reasons. UIDs under 100 are typically used by daemons (like apache or named or mysql). You don't want a daemon or the root user creating a file that would be group-readable by default.

Do this:

[root@yourserver] cd /etc
[root@yourserver] grep umask *

See where the umask is set, probably /etc/bashrc or /etc/bash_profile or some file like that. Post it back here and we'll look at it.

-- Aaron

[choucove]

When I type the commands you gave, the following is what I recieve:

[root@localhost Bruce]# cd /etc
[root@localhost etc]# grep umask *
bashrc: umask 002
bashrc: umask 022
csh.cshrc: umask 002
csh.cshrc: umask 022
fstab~:/dev/Shared_Files/Shared_Files /Shared ext3 defaults umask=0002 0 0
php.ini:; does not overwrite the process's umask.
profile:umask 0002
[root@localhost etc]# umask
0022
[root@localhost etc]#

Bashrc is already one place I tried to set the umask, as another source told me to set it there. Still, no good. The fstab was another place someone said I could set a default umask for a certain drive. I did this with my laptop running Fedora 8 and Vista so I could mount my NTFS Vista partition in Linux automatically. However, in my case on the server this doesn't do what I need. And finally, in the /etc/profile file is the last location I was also told by another source that you need to set the umask. Still, no good.

I have attacked my bashrc and profile files with this post in hopes you might be able to get a better picture!

Also just a note, all the user IDs begin at 500, 501, 502, etc. The User ID part of the /etc/passwd file is also included to show you these.

[acutchin]

Look at this part of your /etc/bashrc file:

# By default, we want this to get set.
# Even for non-interactive, non-login shells.
if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then
umask 002
else
umask 022
fi

This essentially says "if the user's ID is over 99 (i.e., not a system/daemon user) AND the user's default group is the same as the username, (i.e., their personal group) then the user can have the more permissive umask of 002." This allows the user to create files that by default are group-readable. It is understandable, because if the user's group is his/her personal group, it isn't likely anyone else will be a member of that group and read a file they shouldn't.

OTHERWISE, give everyone else the umask 022. This is a more restrictive umask, because it takes away group read permissions from any file by default, and is most likely why your users, whose default group is "art", can't read each others' files.

Are your users actually logging into the Linux system, or are they using Samba or FTP or some other method to upload/download/create files?

[choucove]

Files will be shared through Samba to their individual Windows XP workstations. I haven't even gone in to set up Samba yet because I was wanting to first try and get the user permission settings correct before tackling another part.

You mentioned that:

"OTHERWISE, give everyone else the umask 022. This is a more restrictive umask, because it takes away group read permissions from any file by default, and is most likely why your users, whose default group is "art", can't read each others' files."

The problem I have been seeing is that users of the same group cannot write to each others files. Currently they can open and read files fine from other users of the same group, but cannot write to them or modify them as needed. Is this instead what you meant?

How can I modify the given lines from the bashrc file correctly? In the line "if [ $UID -gt 99 ] && [ "`id -gn`" = "`id -un`" ]; then ..." should I simply remove the && group id = user id condition?

[acutchin]

If you have two users in group "art", and the file's group ownership is "art", and the file has group read and write permissions, then you should be able to write to that file as either user. Is this not the case?

If not, please explain how you are testing the file writes. Are you logging in as the user? Can you log in as the user, ls -l the file in question, and try to append to it? Like this:

su - user
id
ls -l /absolute/path/to/file
echo "another line" >> /absolute/path/to/file

Do this as each user, on the same file, paste the command lines and output here.

[choucove]

I was actually able to find my problem just last night and resolve it! Given that it was really such a simple solution it's quite frustrating that I don't come about finding or resolving it for some time unfortunately.

While all user umasks could be set by default in the bashrc file, I didn't want to manually change the umask for the actual Linux box really. I wanted it changed for how they are creating and saving things from Windows to Linux. Looking into this more I found that you can add the "create mask =" and "directory mask =" commands to the smb.conf file to do exactly this task.

After running in circles for a couple days because of having the wrong equipment (a simple desktop switch won't let you network if your ISP assigns your XP computer and your Linux server IP addresses from two different sub-nets!), got a new router, and presto it's all working now!

Thank you very much again for all your help! I may still look into changing the default umask in Linux, just in case, but I am doubting any of them will even want to touch the thing!