Setting default permissions for newly created files and sub-directories under a directory in Linux?

Asked 24/2, 2009 at 5:33 Answered 12/5, 2021 at 3:18

107

I have a bunch of long-running scripts and applications that are storing output results in a directory shared amongst a few users. I would like a way to make sure that every file and directory created under this shared directory automatically had u=rwxg=rwxo=r permissions.

I know that I could use umask 006 at the head off my various scripts, but I don't like that approach as many users write their own scripts and may forget to set the umask themselves.

I really just want the filesystem to set newly created files and directories with a certain permission if it is in a certain folder. Is this at all possible?

Update: I think it can be done with POSIX ACLs, using the Default ACL functionality, but it's all a bit over my head at the moment. If anybody can explain how to use Default ACLs it would probably answer this question nicely.

Earnestineearnings answered 24/2, 2009 at 5:33 Comment(5)

POSIX ACLs are nice, however a good 60% of the machines that you encounter won't have them turned on for certain file systems, depending on the distribution. Here is a very good introduction and example: suse.de/~agruen/acl/linux-acls/online – Podagra 24/2, 2009 at 6:1

You mean the same document I linked :) I haven't had a change to read it yet but thanks for the head's up on the availability problem. – Earnestineearnings 24/2, 2009 at 6:12

The link in Tim Post's comment appears to be dead, but thanks to the Internet Archive, I could view it, and verify that vanemery.com/Linux/ACL/POSIX_ACL_on_Linux.html contains the exact same document. I'll edit the question to update the link. – Midget 30/5, 2016 at 7:12

@Midget The new link is also 404'd now. – Beckiebeckley 23/5, 2021 at 18:52

Internet Archive (archive.org) version of the link here (2012-12-04) – Jesusa 26/1, 2023 at 11:18

To get the right ownership, you can set the group setuid bit on the directory with

chmod g+rwxs dirname

This will ensure that files created in the directory are owned by the group. You should then make sure everyone runs with umask 002 or 007 or something of that nature---this is why Debian and many other linux systems are configured with per-user groups by default.

I don't know of a way to force the permissions you want if the user's umask is too strong.

Avant answered 24/2, 2009 at 5:37 Comment(4)

This doesn't really provide a solution- he's asking about permissions not ownership, and the only way to do that is with ACLs – Viera 16/12, 2012 at 22:36

"... make sure everyone runs with umask 002 or 007 or something of that nature" - that's a bit of a stretch.... How do you make Postfix, Dovecot, Clam and Spam Assassin all do this? – Freud 3/4, 2014 at 0:18

What does the +s part do? Thanks. – Krum 6/1, 2017 at 11:37

In this case it means set group ID. That is to say we use g+s to set the SGID bit. I say "in this case" because +s was combined with g for group. +s can also be used for setting the SUID bit (setuid). – Backstroke 20/6, 2017 at 2:30

Here's how to do it using default ACLs, at least under Linux.

First, you might need to enable ACL support on your filesystem. If you are using ext4 then it is already enabled. Other filesystems (e.g., ext3) need to be mounted with the acl option. In that case, add the option to your /etc/fstab. For example, if the directory is located on your root filesystem:

/dev/mapper/qz-root   /    ext3    errors=remount-ro,acl   0  1

Then remount it:

mount -oremount /

Now, use the following command to set the default ACL:

setfacl -dm u::rwx,g::rwx,o::r /shared/directory

All new files in /shared/directory should now get the desired permissions. Of course, it also depends on the application creating the file. For example, most files won't be executable by anyone from the start (depending on the mode argument to the open(2) or creat(2) call), just like when using umask. Some utilities like cp, tar, and rsync will try to preserve the permissions of the source file(s) which will mask out your default ACL if the source file was not group-writable.

Hope this helps!

Durer answered 1/7, 2011 at 15:36 Comment(11)

It seems that this still requires proper umask for all users. =/ unix.stackexchange.com/questions/71743/… – Auroora 13/10, 2014 at 18:27

@techtonik As I wrote, it depends on the application creating the file. E.g., if you use cp then it will try to copy the permissions of the source file. Not even umask helps when using cp. I've seen the same problem with tar. See this question. – Durer 15/10, 2014 at 8:13

@techtonik I've added a sentence about this in my answer now. – Durer 15/10, 2014 at 8:19

yes it looks like the problem was in application forcefully setting the rights to 644 when my ACL and POSIX right setup was all for 664. It would be nice to clarify this fallback mechanism for people troubleshooting the issue. Many don't even know about umask. – Auroora 15/10, 2014 at 13:49

I mean I wasted some time trying to see if I don't have the mount flags set correctly (and on ext4 they can not be set, because it seems that they work automatically). There is no information how to check if setfacl works correctly - I assume that it should fail, but I am not sure, because the answer misses that point. – Auroora 15/10, 2014 at 13:52

@techtonik My answer already said that you didn't need the option on ext4. Anyway, I have edited it now to make that clearer. Regarding umask, the question explicitly asks how to do it without umask. – Durer 20/10, 2014 at 12:25

That's much better now. For me the most confusing moment was that POSIX rights are processed and take precedence even if ACL is in effect, so the correct order of investigating permissions problem is application -- POSIX -- ACL. – Auroora 20/10, 2014 at 13:44

@techtonik Not really. POSIX permissions are mapped to certain ACL entries. So if you change e.g. group perms on a file with ACLs, you actually change the mask ACL entry. If you change user perms then you change the user entry, and so on. – Durer 24/10, 2014 at 7:14

Yes. Right, POSIX permissions serve as a mask for getting through to ACL. – Auroora 24/10, 2014 at 8:41

You are a superhero! you have no idea how damn difficult getting this set up has been - linux webservers are not easy to set up and this has fixed a long-time frustration. – Belleslettres 18/3, 2017 at 7:20

for 600 use:

mkdir ~/.env && sed -i 's/defaults\t/defaults,acl\t/' /etc/fstab && mount -o,remount / && setfacl -dm u::rw,g::x,o::x .env

– Beforehand 13/2, 2022 at 4:44

in your shell script (or .bashrc) you may use somthing like:

umask 022

umask is a command that determines the settings of a mask that controls how file permissions are set for newly created files.

Dolley answered 22/9, 2015 at 16:36 Comment(3)

This is not correct because umask limits the permissions it cannot add permissions – Candleberry 11/1, 2018 at 17:17

@Candleberry can you elaborate? This works for me, newly created files now allow group members to have rw permissions when I do umask 002 in my .bashrc. – Edema 24/4, 2018 at 20:46

@ArthurDent umask 002 limits access to others, leaving group unchanged. Remember, it's ugo - that is user group others. Also remember that umask basically means subtract from the defaults. For files: 666 - 002 would mean 664 which means group is not affected. – Candleberry 25/4, 2018 at 21:42

It's ugly, but you can use the setfacl command to achieve exactly what you want.

On a Solaris machine, I have a file that contains the acls for users and groups. Unfortunately, you have to list all of the users (at least I couldn't find a way to make this work otherwise):

user::rwx
user:user_a:rwx
user:user_b:rwx
...
group::rwx
mask:rwx
other:r-x
default:user:user_a:rwx
default:user:user_b:rwx
....
default:group::rwx
default:user::rwx
default:mask:rwx
default:other:r-x

Name the file acl.lst and fill in your real user names instead of user_X.

You can now set those acls on your directory by issuing the following command:

setfacl -f acl.lst /your/dir/here

Crackdown answered 24/2, 2009 at 10:1 Comment(2)

can you leave off the user list if they are all a member of the same group, and just use the group permissions? – Earnestineearnings 24/2, 2009 at 11:22

I was asking myself the same question. It's been a while since I set this up. But every time I get a new user (in the same group as the others), I forget to update the list and I'll get complaints about the new user not being able to write/delete files. So the answer is: No, you can't. – Crackdown 24/2, 2009 at 12:43

-1

I don't think this will do entirely what you want, but I just wanted to throw it out there since I hadn't seen it in the other answers.

I know you can create directories with permissions in a one-liner using the -m option:

mkdir -m755 mydir

and you can also use the install command:

sudo install -C -m 755 -o owner -g group /src_dir/src_file /dst_file

Ephrayim answered 12/5, 2021 at 3:18 Comment(0)

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags