Linux Set User and Group Ownership for Future Files and Folders

Asked 7/8, 2015 at 20:34 Answered 4/5, 2023 at 11:59

linux permissions filesystems file-permissions

I was changing user and group ownership using the following command:

sudo chown -R apache:www /var/www

However, I noticed that whenever I added a new file or folder to that directory, the owner would be my current username instead of the intended user, apache. How can I modify the above command so that all future folders and files will be owned by apache:www? Or do I need to use an extra command?

Muezzin answered 7/8, 2015 at 20:34 Comment(0)

You can use ACLs to do this. For example:

$ ls -ld /var/www
drwxr-xr-x 2 apache www 4096 Aug  7 13:53 /var/www

$ sudo setfacl -dRm u:apache:rwX,g:www:rwX /var/www

$ ls -ld /var/www
drwxr-xr-x+ 2 apache www 4096 Aug  7 13:53 /var/www

$ getfacl /var/www
# file: var/www
# owner: apache
# group: www
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:apache:rwx
default:group::r-x
default:group:www:rwx
default:mask::rwx
default:other::r-x

When new files are created there by they will still be owned by your user, but there will also be an ACL set on it granting privileges to the apache user:

$ touch donkey
$ ls -l donkey
-rw-rw-r--+ 1 gene gene 0 Aug  7 13:57 donkey

$ getfacl donkey
# file: donkey
# owner: gene
# group: gene
user::rw-
user:apache:rwx               #effective:rw-
group::rwx                      #effective:rw-
group:www:rwx              #effective:rw-
mask::rw-
other::r--

An overview of the command:

setfacl -dRm u:apache:rwX,g:www:rwX /var/www

The -d flag specifies the operations apply to the Default ACL.
The -R flag sets operations to apply recursively
The -m indicates it will be a modification operation

Then after that it's pretty straight forward

u:USERNAME:permissions
g:GROUPNAME:permissions

These entries must be separated by a comma.

The X permission (note: it's uppercase) means it will only be applied to directories and not files.

Haberdashery answered 7/8, 2015 at 21:5 Comment(0)

You can achieve that on the group level by using the SETGID (SET Group ID) flag of chmod:

chmod g+s <directory>

From the docs:

On most systems, if a directory’s set-group-ID bit is set, newly created subfiles inherit the same group as the directory, and newly created subdirectories inherit the set-group-ID bit of the parent directory.

Once you set that, newly created files and directories inside <directory> will be set to <group>. e.g.

chmod g+s /srv/www

will cause newly created files and directories inside /srv/www to have the group www.

You can verify that by executing ls -al which will show s for the group "execute" permission on the directory. e.g.

drwxr-sr-x.   5 apache www       4096 Mar 13 20:32 www
      ^
    SETGID

Embrocation answered 14/3, 2018 at 3:58 Comment(2)

that's a wrong command. 3rd arg is supposed to be a folder. – Furor 31/1, 2022 at 22:7

chmod g+s www /srv/www is wrong, because chmod only affects file mode bits. To change group ownership, use the chgrp command. So write : chmod g+s /srv/www ; chgrp www /srv/www instead. – Suppression 21/3, 2022 at 15:15

My guess is you need to change user before executing the command - a script something like this:

$whoami
user1
$ su - apache
Password:
$ whoami
apache
[add file]
$ exit

Adah answered 7/8, 2015 at 20:46 Comment(1)

Is there a way to set it automatically, so that I don't need to be switching usernames? – Muezzin 7/8, 2015 at 20:49

New files in POSIX-like file systems always have an owning user and an owning group. How the owner is determined is explained in detail in the chown(2) man page, but the owner will always be the user account that's running whatever process created the file, although you can have a different group to the process's group by fiddling with SETGID or ACLs as others have suggested.

If you want to create a new file with a different owner, you'll need to ensure whatever process creates the file has the user you want. So if you're currently running <command> and want the file to start owned by apache, you'd probably want to run sudo -u apache <command> so the process runs as the apache user.

If you're doing that anyway, it's probably easier to not worry about SETGID or similar, and instead to just make sure the group is set by having the right group in the owning process too. That means you'd need to run sudo -u apache -g www <command>.

You can obviously just keep using chown as you have been doing, and that might be the simplest option. You can also make the issue irrelevant by ensuring the group permissions – via SETGID or ACLs (or more esoteric options) – mean that the owner isn't relevant. But if you want the owner to be a different user from the start, sudo (or something else that lets you change the account running a given process, e.g. su) is the only way to achieve that.

Roderica answered 4/5, 2023 at 11:59 Comment(0)

Recommended topics

Hot tags