Link to home
Start Free TrialLog in
Avatar of Sc0tte
Sc0tteFlag for Australia

asked on

Linux permissions

It's been a long time since i've done anything with linux, so i'm stuck on what i thought would be a relatively easy thing to do.

My directory structure

<ftp>
|
|-<downloads>
|-----file_to_download.dwg
|
|-<uploads>
|-----uploaded_file.pdf
|
|-random_file.dwg
|-another_random.dwg

I want to set permission on this, such that:

user "ftp_admin" has full (rwx) on ftp and everything underneath
user "ftp_download" has read on ftp and everything underneath
user "ftp_upload" has read on ftp and evertyhing underneath as well as write on <upload> folder.

I can do this with NTFS without flinching, but with centOS i can't get around not being able to give a single file/folder permissions from multiple users/groups.  I don't think i can use ACL's with this install either :-(

Thanks very much for the help
Avatar of TRW-Consulting
TRW-Consulting
Flag of United States of America image

Make ftp_admin the owner of everything and start with 755 permissions on all the directories.

Have ftp_upload in a different group than ftp_download, then change the group of the upload directory to that group and give it 775 permissions.
ASKER CERTIFIED SOLUTION
Avatar of jonmchan
jonmchan
Flag of United States of America image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of arnold
Not sure what ACL's you mean, are you able to use setfacl to grant

i.e. setfacl -m user:`id(ftp_upload`:rwx <upload>

Avatar of Kerem ERSOY
Kerem ERSOY

Hi,

First of all as far as I underrstand:

- All three users must belong to the same group such as: ftp
- ftp_admin must be the owner of ftp directory and it should have 750 as permission flags over entire directory.
-   This would ensure that ftp_Admin has r/w access to entire stanza and ftp_download has read access to entire stanza.
- When it comes to ftp_upload the owner should be ftp_upload and read access must be granted a group called ftpw and ftp_download must be a member to the group and for the others you must have read permission

If we summarise:
# addsuer ftp_user
# adduser ftp_download
# adduser ftp_upload
# groupadd ftp
# groupadd ftpw
# usermod -G ftp ftp_user
# usermod -G ftp ftp_download
# usermod -G ftp ftp_upload
# usermod -G ftpw ftp_user
# usermod -G ftpw ftp_upload
# chown -R ftp_user:ftp ftp
# chown -R ftp_upload:ftpw ftp/upload
# chmod -R 750 ftp
# chmod -R 775 ftp/upload

These commands would give you what you want.

Cheers,
K.
Opps sorry please replace ftp_user wih ftp_admin such as:

# addsuer ftp_admin
# adduser ftp_download
# adduser ftp_upload
# groupadd ftp
# groupadd ftpw
# usermod -G ftp ftp_admin
# usermod -G ftp ftp_download
# usermod -G ftp ftp_upload
# usermod -G ftpw ftp_admin
# usermod -G ftpw ftp_upload
# chown -R ftp_user:ftp ftp
# chown -R ftp_upload:ftpw ftp/upload
# chmod -R 750 ftp
# chmod -R 775 ftp/upload
@TRW-Consulting: ftp-admin must belong to the second group without it it won't be able to write to ftp-upload
@jonmchan: ftp-admin has no rights into your upload directory since group and owner does not include ftp_admin.

Cheers,
K.
> @KeremE says: "@TRW-Consulting: ftp-admin must belong to the second group without it it won't be able to write to ftp-upload"

To @KaremE:  No, it does not "have" to because it is the owner, and has it's own "owner" permissions and can ignore the "group" ownership or "group" permissions.
> To @KaremE:  No, it does not "have" to because it is the owner, and has it's own "owner" permissions
> and can ignore the "group" ownership or "group" permissions.

Your initial post did not mention about group memberships of the accounts and needs clarification. As you know when creating a username RHEL/CentOS creates a group with the same name. So initially all three accounts will  be members of their corresponding groups only so hat you should associate them with two differerent groups later.

As you have told  "it does not "have" to but still possible.

Cheers,
K.
@KeremE - yes it does. I propose that ftp_admin be part of the ftp_upload group with ftp_upload user. Then give the upload directory 570 access which will give ftp_admin and ftp_upload read/write permission.

@TRW-Consulting - i don't think he wants world readable permissions. You shouldn't have the last 5 in 775.
You didn't mention if there are any other users involved or not (anonymous?  guest?) and whether there are any restrictions to those users, if they exist.

Assuming there are no other users, TRW-Consulting, has it right in the first post.  It's not too confusing.

Make sure all permissions are 755 to start:
chmod -R 755 ftp

Give ftp admin ownership of everything:
chown -R ftp_admin ftp  

Assuming you're on CentOS and ftp_upload has it's own group, change the owning group of the uploads directory to that group and give that group write permission to that directory.  Set the SGID bit on the uploads directory so that any file created keeps the group of ftp_uploads.  Add ftp_admin to the ftp_upload group so ftp_admin will have write access to any file uploaded by ftp_upload:
chgrp -R ftp_upload ftp/uploads
chmod -R 2775 ftp/uploads
useradd -g ftp_upload ftp_admin

This accomplishes everything by giving ownership to the user ftp_admin of everything in the tree with permissions of "7" (read, write, execute) to the owner.
The group on the uploads directory that is now the group of ftp_uploads also has write permissions in that directory and below.
Everyone (even other users) has read permissions to everything by using the "others" permissions which is "5" (read, execute).

It also keeps those permissions with the SGID bit set on the upload directory and ftp_admin being part of the ftp_upload group.