If you’ve ever collaborated with someone on a Linux machine or worked as a system administrator on a multi-user Linux system, chances are you’ve set up shared folders for groups of people to share data. It’s quite easy on Linux. Well, kind of. I mean, you can simply create a group, add relevant users in, and set the shared folder’s owner and permission correctly. However, this approach has a problem: new files and directories created inside a shared folder doesn’t inherit the owner and permission of the shared folder itself. Is there a way to achieve that? Yes. In this post, I would like to talk about how to correctly set up the owner and permission for shared folders once and for all.
First attempt: the SetGID bit
If you know the basics of Linux, you should know how the Linux permission works. There are 9 bits controlling read ®, write (w), and execute (x) permissions for the owner, the group, and everyone else. Actually, there are 3 more bits. They are the SetUID, SetGID, and Sticky bits. Here I will focus on SetGID because it’s relevant to what we are doing. For more information on those bits, you could refer to this superuser blog post.
The SetGID bit, when set on a directory, is to let the group of new files created in that directory automatically set to the parent directory’s group (i.e. inherit the group). Does it solve our problem? Not quite. It can inherit the group, but it cannot do it recursively (i.e. only its immediate children can inherit the group) and it cannot set the permission.
Second attempt: the Access Control List
We need a more powerful weapon to achieve what we want, and that is the Access Control List (ACL). ACL is a way to provide more fine-grained access control to files and directories. For example, you can give different users or groups different permissions on the same file. This is much more flexible compared to the traditional Linux permission setting (owner, group, world). It’s not supported on all system (see its pre-requisite here), but most of the Linux installations nowadays should support it out of the box.
If we want to grant a group
rwx permissions on a shared folder, we can simply do
$ setfacl -m "g:testgroup:rwx" testfolder
Now the directory permission will have a
+ sign in the end, indicating ACL is enabled. You can check the ACL permission entries with
$ getfacl testfolder # file: testfolder # owner: siyuan # group: siyuan user::rwx group::r-x group:testgroup:rwx mask::rwx other::r-x
To make this permission the “default” permission (i.e. to enable inheritance), use the
-d switch with
$ setfacl -dm "g:testgroup:rwx" testfolder $ getfacl testfolder # file: testfolder # owner: siyuan # group: siyuan user::rwx group::r-x group:testgroup:rwx mask::rwx other::r-x default:user::rwx default:group::r-x default:group:testgroup:rwx default:mask::rwx default:other::r-x
NOTICE: These are two separate commands, you need to run both of them. Running the second one alone only sets the defaults but will not change any existing permissions.
With the above two commands, this shared folder is truly owned by the group with the desired permission. You can test it yourself: create some files and directories inside and see if you would get any permission denied error.
In conclusion, the permission and ownership issue on shared folders can be easily solved by adding ACL entries to the folders. With ACL properly set, sharing data among multiple Linux users on the same machine should be hassle-free.