6

I've read a lot of solutions for something like this, but nothing seems to work quite right for me. I have a shared development box used for a few projects that require such a thing and I'd like to configure it so that files created by users in the /opt/dev directory:

  • Are owned by <username>:developers
  • Have permissions set to 774 (files)
  • Have permissions set to 775 (directories)

All developer users have their primary group set to developers so the first requirement has been pretty solid. What's a lot less solid is the actual permissions. They just aren't being set consistently the way we need them to get set and I haven't found the right solution.

I do have the sticky bit set (g+s) based on something else I read at some point, but that wouldn't seem to be particularly useful since all users are in the same primary group.

I also have the default umask set to 002 in /etc/login.defs. I thought that would kind of cover it, that doesn't seem to be the case.

I'd really appreciate any advice about how to get everything lined up properly. I feel like I'm constantly in there adjusting a file here and a directory there just so people can do their work.

Rob Wilkerson
  • 165

1 Answers1

3

Ok, for point 1, the solution is quite easy:

chgrp developers /opt/dev

For points 2 and 3, I suppose you'll need ACL. So, the first thing to do is to edit /etc/fstab to give the option acl to the mountpoint of /opt/dev. If /opt/dev is not on a separate partition you'll need to enable ACL for the whole root filesystem.

Then you'll have to follow this answer.

chmod g+s /opt/dev

should be equivalent to chgrp developers /opt/dev (and doesn't set the sticky bit, s sets the suid bit).

Then proceed with setfacl:

setfacl -d -m g::rwx /opt/dev  //set group to rwx default 
setfacl -d -m o::rx /opt/dev   //set other

to set advanced permission criteria for files and directories. To be honest, I couldn't find a way to set separate file and directory permissions, but I'm pretty sure it's doable. You can try this tutorial to have more information about the topic.

Community
  • 1
Avio
  • 2,986
  • Thanks, @Avio. I'll try the ACL path, but for my own edification, if I have the "global default" UMASK set to 022, why doesn't that accomplish this purpose? I know folks could override, but they aren't in my case. Most are accessing this area via Samba. Thanks again for your help. – Rob Wilkerson Oct 05 '12 at 13:09
  • You probably don't have the umask set to 022 as I don't. The value in /etc/login.defs is probably overwritten during boot. Reading here, if you type umask at the terminal, you'll see that you have only 0002. That means that only the write permission for others is forbidden (during the creation of files). And so it is. Try it in /tmp with some touch and a few mkdir, and you should see it. – Avio Oct 05 '12 at 13:26