6

I've read a lot of solutions for something like this, but nothing seems to work quite right for me. I have a shared development box used for a few projects that require such a thing and I'd like to configure it so that files created by users in the /opt/dev directory:

  • Are owned by <username>:developers
  • Have permissions set to 774 (files)
  • Have permissions set to 775 (directories)

All developer users have their primary group set to developers so the first requirement has been pretty solid. What's a lot less solid is the actual permissions. They just aren't being set consistently the way we need them to get set and I haven't found the right solution.

I do have the sticky bit set (g+s) based on something else I read at some point, but that wouldn't seem to be particularly useful since all users are in the same primary group.

I also have the default umask set to 002 in /etc/login.defs. I thought that would kind of cover it, that doesn't seem to be the case.

I'd really appreciate any advice about how to get everything lined up properly. I feel like I'm constantly in there adjusting a file here and a directory there just so people can do their work.

Rob Wilkerson
  • 165
  • 1
  • 1
  • 7

1 Answers1

3

Ok, for point 1, the solution is quite easy:

chgrp developers /opt/dev

For points 2 and 3, I suppose you'll need ACL. So, the first thing to do is to edit /etc/fstab to give the option acl to the mountpoint of /opt/dev. If /opt/dev is not on a separate partition you'll need to enable ACL for the whole root filesystem.

Then you'll have to follow this answer.

chmod g+s /opt/dev

should be equivalent to chgrp developers /opt/dev (and doesn't set the sticky bit, s sets the suid bit).

Then proceed with setfacl:

setfacl -d -m g::rwx /opt/dev  //set group to rwx default 
setfacl -d -m o::rx /opt/dev   //set other

to set advanced permission criteria for files and directories. To be honest, I couldn't find a way to set separate file and directory permissions, but I'm pretty sure it's doable. You can try this tutorial to have more information about the topic.

Community
  • 1
Avio
  • 2,979
  • 5
  • 24
  • 40
  • Thanks, @Avio. I'll try the ACL path, but for my own edification, if I have the "global default" UMASK set to 022, why doesn't that accomplish this purpose? I know folks _could_ override, but they aren't in my case. Most are accessing this area via Samba. Thanks again for your help. – Rob Wilkerson Oct 05 '12 at 13:09
  • You probably don't have the `umask` set to `022` as I don't. The value in `/etc/login.defs` is probably overwritten during boot. Reading [here](http://askubuntu.com/a/44548/63606), if you type `umask` at the terminal, you'll see that you have only `0002`. That means that only the `write` permission for `others` is forbidden (during the creation of files). And so it is. Try it in `/tmp` with some `touch` and a few `mkdir`, and you should see it. – Avio Oct 05 '12 at 13:26