Getting new files to inherit group permissions on Linux
Solution 1
It sounds like you're describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that's set on the parent directory.
Example
$ whoami
saml
$ groups
saml wheel wireshark
setup a directory with perms + ownerships
$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/
touch a file as saml in this dir
$ whoami
saml
$ touch somedir/afile
$ ll somedir/afile
-rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile
This will give you approximately what it sounds like you want. If you truly want exactly what you've described though, I think you'll need to resort to Access Control Lists functionality to get that (ACLs).
ACLs
If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.
before
$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir
set permissions
$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/
Notice the + at the end, that means this directory has ACLs applied to it.
$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:apache:r-x
default:mask::r-x
default:other::---
after
$ touch somedir/afile
$ ll somedir/afile
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile
$
$ getfacl somedir/afile
# file: somedir/afile
# owner: saml
# group: apache
user::rw-
group::r-x #effective:r--
group:apache:r-x #effective:r--
mask::r--
other::---
Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.
Solution 2
TL:DR; to make new files inherit the group of the container folder do:
$ chmod g+s somefolder
Note: its implied in the accepted answer, this is just a snippet.
Solution 3
As a complement to slm's answer, note that, on an ext2/3/4 filesystem, you can replicate the BSD behavior you describe by using the bsdgroups mount option on the partition. From the mount(1) man page :
grpid|bsdgroups and nogrpid|sysvgroups
These options define what group id a newly created file gets.
When grpid is set, it takes the group id of the directory in
which it is created; otherwise (the default) it takes the fsgid
of the current process, unless the directory has the setgid bit
set, in which case it takes the gid from the parent directory,
and also gets the setgid bit set if it is a directory itself.
Related videos on Youtube
13 : 30
23 : 50
11 : 08
03 : 08
32 : 18
John Tate
Updated on September 18, 2022Comments
-
John Tate 3 months
I am having a problem with permissions on a Linux server. I am used to BSD. When a directory is owned by a group the user who owns it isn't in such as www-data, files created in it will be owned by that group. This is important because I want files to be readable by the webserver (which I will not run as root) but so a user can still put new files in the directory. I can't put the users in www-data because then they can read every other users websites.
I want the webserver to read all websites, I want users to be able to change their own.
The permissions are set like this on the folders at the moment....
drwxr-x--- 3 john www-data 4096 Feb 17 21:27 johnIt is standard behavior on BSD for permissions to work this way. How do I get Linux to do this?
-
slm almost 9 yearsCan you use ACLs?
-
-
John Tate almost 9 yearsThat seems to provide the functionality I wanted, thanks.
-
yaobin over 6 yearsThis seems to solve my similar problem, too. However, I don't quite understand the last sentence: "This forces any new files to only have their r bit enabled." Why is the x permission not enabled? Is there a way to enable it by default?? -
cdarken about 6 years@yaobin I think it's a security thing, you don't really want to have a file executable by default
-
Chris Morgan over 4 yearssetgid means that new files and folders will have the right group, but remember that if you move files into the tree, they won’t have the right owner configured. The ACL approach copes with that (in general). -
datasn.io almost 4 yearsThis doesn't work withunzip? -
slm almost 4 years@datasn.io - look at the man page of
unzip. Specifically the-Xswitch. -
Dan M. over 3 years@ChrisMorgan how does it cope with it? The solutions from the accepted answer didn't do anything for moved files in my case. -
Chris Morgan over 3 years@DanM.: with file modes, you set permissions that are not inherited; but with ACLs, you set permissions that are inherited (though the children can specify ACLs of their own that override that), being checked at runtime.
-
Dan M. over 3 years@ChrisMorgan yes. How do you do that? Solution using ACL form accepted answer doesn't work.
-
RufusVS over 3 yearsis that a typo in the chown command in the first example:sudo chown saml.apache somediror is the period equivalent to : in this case (the man page doesn't say it is)? -
slm over 3 years@RufusVS - it's equivalent, you can use either.
-
isapir about 3 yearsI had to add-Rfor the setting to propagate down the directory tree -
Don't Panic over 1 yearIn the first, plain,setgidexample, how doessomedir/afileend up with group writeable set?setgidshould only controls group, right, not permissions? Is this just a typo here, or is there a way to make that happen that I am missing? -
slm over 1 year@Don'tPanic - def. not a typo. Forgive me but I haven't looked at this A'er in a very long time. I suspect that set of permissions on the
touch somedir/afilewas set via my system'sumask. - liquidweb.com/kb/what-is-umask-and-how-to-use-it-effectively/….. Back in 2014 I'm pretty sure I was rolling w/ aumask 002on my system.