Linux shared folder management done right

If you’ve ever collaborated with someone on a Linux machine or worked as a system administrator on a multi-user Linux system, chances are you’ve set up shared folders for groups of people to share data. It’s quite easy on Linux. Well, kind of. I mean, you can simply create a group, add relevant users in, and set the shared folder’s owner and permission correctly. However, this approach has a problem: new files and directories created inside a shared folder doesn’t inherit the owner and permission of the shared folder itself. Is there a way to achieve that? Yes. In this post, I would like to talk about how to correctly set up the owner and permission for shared folders once and for all.

First attempt: the SetGID bit

If you know the basics of Linux, you should know how the Linux permission works. There are 9 bits controlling read ®, write (w), and execute (x) permissions for the owner, the group, and everyone else. Actually, there are 3 more bits. They are the SetUID, SetGID, and Sticky bits. Here I will focus on SetGID because it’s relevant to what we are doing. For more information on those bits, you could refer to this superuser blog post.

The SetGID bit, when set on a directory, is to let the group of new files created in that directory automatically set to the parent directory’s group (i.e. inherit the group). Does it solve our problem? Not quite. It can inherit the group, but it cannot do it recursively (i.e. only its immediate children can inherit the group) and it cannot set the permission.

Second attempt: the Access Control List

We need a more powerful weapon to achieve what we want, and that is the Access Control List (ACL). ACL is a way to provide more fine-grained access control to files and directories. For example, you can give different users or groups different permissions on the same file. This is much more flexible compared to the traditional Linux permission setting (owner, group, world). It’s not supported on all system (see its pre-requisite here), but most of the Linux installations nowadays should support it out of the box.

If we want to grant a group rwx permissions on a shared folder, we can simply do

$ setfacl -m "g:testgroup:rwx" testfolder

Now the directory permission will have a + sign in the end, indicating ACL is enabled. You can check the ACL permission entries with getfacl

$ getfacl testfolder
# file: testfolder
# owner: siyuan
# group: siyuan
user::rwx
group::r-x
group:testgroup:rwx
mask::rwx
other::r-x

To make this permission the “default” permission (i.e. to enable inheritance), use the -d switch with setfacl

$ setfacl -dm "g:testgroup:rwx" testfolder
$ getfacl testfolder
# file: testfolder
# owner: siyuan
# group: siyuan
user::rwx
group::r-x
group:testgroup:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::r-x
default:group:testgroup:rwx
default:mask::rwx
default:other::r-x

NOTICE: These are two separate commands, you need to run both of them. Running the second one alone only sets the defaults but will not change any existing permissions.

With the above two commands, this shared folder is truly owned by the group with the desired permission. You can test it yourself: create some files and directories inside and see if you would get any permission denied error.

Conclusion

In conclusion, the permission and ownership issue on shared folders can be easily solved by adding ACL entries to the folders. With ACL properly set, sharing data among multiple Linux users on the same machine should be hassle-free.

References

 
comments powered by Disqus