Give write access to a file or folder to a user whos not the owner

[Being]

There are a bunch of files in a folder, the owner is a specific user (let's call him user "A") who wants to retain ownership and ability to edit the files.

There's another user ("B"), who needs to edit (write and save changes) to these files.

There are 5 files in this folder.

I am a newbie, as you can tell by now

What's the best way to give this user B write access to each file or to this whole directory without changing the files owner ? do I give rights to the folder and it enforces the change on all the folder's contents? do i assing the user a group and give the group rights? and "how" do i do this?

thank you!

[Irithori]

As you already said, you add users to a group.
Then change the group and group permissions of the files and potetially the parent directory.

Commands to do so are:
usermod, chgrp and chmod

[Being]

for the group name, i can come up with any name i like, right?

[Irithori]

Yes, if the group exists already or if you create it via groupadd.
Keep the name simple.

[Being]

do you think the folder and/or files already belong to some group?

[Irithori]

For sure.
Check with ls -la for files and ls -lad for directories.

[Being]

For sure.
Check with ls -la for files and ls -lad for directories.

with ls -la I see the result set
here's one of the files

-rwxr--r-- 1 krusk www 18011 2012-12-20 08:27 forms.html

krusk is the owner. Is www the group this file belongs to?

How many groups can a file belong to?
How do i see this (file <-> group) association ?

[Being]

i wont want to give the www group write access to this file. So, can i add the file to another group? is it already in another group (of people who can write to it) ?

[yancek]

Is www the group this file belongs to?

Yes. I believe www is the default group for apache on Suse/Opensuse. Is that where the file is, /srv/www/...? I don't see how a file could have more than one group but I may be wrong? Users can belong to numerous groups. Finding associations to users/groups can be found using YaST, under Users and Groups. The output you show for the file 'forms.html' shows the user 'krusk' as the only one with write permissions, plus root of course. I'm not sure what your intentions are here and I don't know of any way you can do what I think you want to do. Maybe someone else will come along who knows a way??

[Irithori]

Well, the problem here is that there is a need for two groups.
- One with read only, which is a smart idea for webserver access.
- One for users with write access.

Btw, it is no option to define the webserver user as owner and with readonly access,
because the owner is able to change permissions.

A common way to solve this scenario (to realize e.g. ftp access for a website) is the use of virtual users.
There are ftp users in an extra file or database, the ftp server authenticates them, but maps the actual file access to a native unix user.
Which then is the owner of the files.


But if you insist, there is another way to approach this via ACLs.
ACLs allow a directory or file to have more than the traditional user/group/other permissions assigned.

Try the following.
You need root to execute the commands.
In the end, user_b will have read/write access to the testfile.
You can test that by becoming user_b via "su - user_b" and editing the testfile.

Code:

groupadd webserver
groupadd editors
useradd -g webserver webserver
useradd -g editors user_b
useradd owner

mkdir -m 750 /tmp/d
touch /tmp/d/testfile
chown -R owner:webserver /tmp/d
chmod 640 /tmp/d/testfile

setfacl -m g:editors:rwx /tmp/d
setfacl -m g:editors:rw,m:rw /tmp/d/testfile

ls -lad /tmp/d
drwxrwx---+ 2 owner webserver 4096 Jan 21 23:24 /tmp/d

ls -la /tmp/d/
-rw-r-----+  1 owner webserver    9 Jan 21 23:24 testfile

getfacl /tmp/d
# file: tmp/d
# owner: owner
# group: webserver
user::rwx
group::r-x
group:editors:rwx
mask::rwx
other::---

getfacl /tmp/d/testfile
# file: tmp/d/testfile
# owner: owner
# group: webserver
user::rw-
group::r--
group:editors:rw-
mask::rw-
other::---

P.S.:
- Note the + at the end of the permissions section of the ls command. It indicates the use of ACLs
- CleanUp of that testdirectory as well as the created users and groups is left as an exercise to the reader