Linux permissions

Sc0tte
Sc0tte used Ask the Experts™
on
It's been a long time since i've done anything with linux, so i'm stuck on what i thought would be a relatively easy thing to do.

My directory structure

<ftp>
|
|-<downloads>
|-----file_to_download.dwg
|
|-<uploads>
|-----uploaded_file.pdf
|
|-random_file.dwg
|-another_random.dwg

I want to set permission on this, such that:

user "ftp_admin" has full (rwx) on ftp and everything underneath
user "ftp_download" has read on ftp and everything underneath
user "ftp_upload" has read on ftp and evertyhing underneath as well as write on <upload> folder.

I can do this with NTFS without flinching, but with centOS i can't get around not being able to give a single file/folder permissions from multiple users/groups.  I don't think i can use ACL's with this install either :-(

Thanks very much for the help
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Make ftp_admin the owner of everything and start with 755 permissions on all the directories.

Have ftp_upload in a different group than ftp_download, then change the group of the upload directory to that group and give it 775 permissions.
Commented:
Hi,

Here is how to implement this:

Create a group called ftp and add ftp_admin, ftp_download, and ftp_upload to the ftp group. Create another group called ftp_upload and add ftp_admin and ftp_upload to this ftp_upload group.

chown -R ftp_admin:ftp ftp
chmod -R 750 ftp (750 = user-rw,  group-r, world-none)
chown -R ftp_download:ftp_upload ftp/uploads
chmod -R 570 ftp/uploads

It is somewhat of a hack solution, but without ACLs, there isn't much else you can do. Also, note that ftp/uploads is ftp_download user. Unless you disable changing permissions (presuming through ftp), the ftp_download user can possibly give himself write permissions on uploads.
Distinguished Expert 2017

Commented:
Not sure what ACL's you mean, are you able to use setfacl to grant

i.e. setfacl -m user:`id(ftp_upload`:rwx <upload>

Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Kerem ERSOYPresident

Commented:
Hi,

First of all as far as I underrstand:

- All three users must belong to the same group such as: ftp
- ftp_admin must be the owner of ftp directory and it should have 750 as permission flags over entire directory.
-   This would ensure that ftp_Admin has r/w access to entire stanza and ftp_download has read access to entire stanza.
- When it comes to ftp_upload the owner should be ftp_upload and read access must be granted a group called ftpw and ftp_download must be a member to the group and for the others you must have read permission

If we summarise:
# addsuer ftp_user
# adduser ftp_download
# adduser ftp_upload
# groupadd ftp
# groupadd ftpw
# usermod -G ftp ftp_user
# usermod -G ftp ftp_download
# usermod -G ftp ftp_upload
# usermod -G ftpw ftp_user
# usermod -G ftpw ftp_upload
# chown -R ftp_user:ftp ftp
# chown -R ftp_upload:ftpw ftp/upload
# chmod -R 750 ftp
# chmod -R 775 ftp/upload

These commands would give you what you want.

Cheers,
K.
Kerem ERSOYPresident

Commented:
Opps sorry please replace ftp_user wih ftp_admin such as:

# addsuer ftp_admin
# adduser ftp_download
# adduser ftp_upload
# groupadd ftp
# groupadd ftpw
# usermod -G ftp ftp_admin
# usermod -G ftp ftp_download
# usermod -G ftp ftp_upload
# usermod -G ftpw ftp_admin
# usermod -G ftpw ftp_upload
# chown -R ftp_user:ftp ftp
# chown -R ftp_upload:ftpw ftp/upload
# chmod -R 750 ftp
# chmod -R 775 ftp/upload
Kerem ERSOYPresident

Commented:
@TRW-Consulting: ftp-admin must belong to the second group without it it won't be able to write to ftp-upload
@jonmchan: ftp-admin has no rights into your upload directory since group and owner does not include ftp_admin.

Cheers,
K.
> @KeremE says: "@TRW-Consulting: ftp-admin must belong to the second group without it it won't be able to write to ftp-upload"

To @KaremE:  No, it does not "have" to because it is the owner, and has it's own "owner" permissions and can ignore the "group" ownership or "group" permissions.
Kerem ERSOYPresident

Commented:
> To @KaremE:  No, it does not "have" to because it is the owner, and has it's own "owner" permissions
> and can ignore the "group" ownership or "group" permissions.

Your initial post did not mention about group memberships of the accounts and needs clarification. As you know when creating a username RHEL/CentOS creates a group with the same name. So initially all three accounts will  be members of their corresponding groups only so hat you should associate them with two differerent groups later.

As you have told  "it does not "have" to but still possible.

Cheers,
K.

Commented:
@KeremE - yes it does. I propose that ftp_admin be part of the ftp_upload group with ftp_upload user. Then give the upload directory 570 access which will give ftp_admin and ftp_upload read/write permission.

@TRW-Consulting - i don't think he wants world readable permissions. You shouldn't have the last 5 in 775.

Commented:
You didn't mention if there are any other users involved or not (anonymous?  guest?) and whether there are any restrictions to those users, if they exist.

Assuming there are no other users, TRW-Consulting, has it right in the first post.  It's not too confusing.

Make sure all permissions are 755 to start:
chmod -R 755 ftp

Give ftp admin ownership of everything:
chown -R ftp_admin ftp  

Assuming you're on CentOS and ftp_upload has it's own group, change the owning group of the uploads directory to that group and give that group write permission to that directory.  Set the SGID bit on the uploads directory so that any file created keeps the group of ftp_uploads.  Add ftp_admin to the ftp_upload group so ftp_admin will have write access to any file uploaded by ftp_upload:
chgrp -R ftp_upload ftp/uploads
chmod -R 2775 ftp/uploads
useradd -g ftp_upload ftp_admin

This accomplishes everything by giving ownership to the user ftp_admin of everything in the tree with permissions of "7" (read, write, execute) to the owner.
The group on the uploads directory that is now the group of ftp_uploads also has write permissions in that directory and below.
Everyone (even other users) has read permissions to everything by using the "others" permissions which is "5" (read, execute).

It also keeps those permissions with the SGID bit set on the upload directory and ftp_admin being part of the ftp_upload group.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial