Solved

linux file permissions

Posted on 2013-01-29
19
903 Views
Last Modified: 2013-02-02
Experts,

I've created a file share on a Linux Mint Server (Ubuntu 12.04).    The permissions are set to 777.  

The share owner is root, the group users.  Others can "create and delete files."

My users can all browse the folder and create and delete new folders from their client machines.

However, whenever a client creates a new file, the owner is root!  As a result, the new file is read-only!


I've tried the sticky bit (chmod g+s).  No joy.

Can you suggest a way to grant full access to this share?
0
Comment
Question by:Glen Gibb
  • 11
  • 7
19 Comments
 
LVL 7

Assisted Solution

by:Beneford
Beneford earned 200 total points
Comment Utility
Is this shared with Samba?

You may have the admin users option set (making all users run as if they are root), and you may want to have the force user option set (making all users access as if they are some (other) user).
Exactly what you do will depend on your security requirements, but if you're happy with 777, that's probably not an issue.

Check out Chapter 16 (esp 16.2) of Samba documentation (www.samba.org, learn samba\Official HOWTO)
0
 

Author Comment

by:Glen Gibb
Comment Utility
This is a Samba share.

I've set "force user = capt", I've made "capt" the owner of the folder.  But my client still creates files as "root."

Any other ideas?

Capt
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
>> I've tried the sticky bit (chmod g+s).  No joy.

This command is used for GID not sticky bit.  Sticky bit is chmod o+t.

Secondly sticky bit is not meant for this purpose.  With it only the user can delete his own file.
0
 

Author Comment

by:Glen Gibb
Comment Utility
OK, but how to I allow the user to create his own file?  Shouldn't the 777 take care of that?

But it doesn't!

Capt
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
NO.  Absolutely not.  777 is a bad practice, it appears to be a quick practice to fix "everything" but it is not.  It has nothing to do with the ownership of created files/folders.  It allows every one to read, write and execute.

If the new files are read only, perhaps they don't have read permissions for "others".   Files have the user and group ownership of the effective user and group of the creating process.  The old method for default file permissions (not ownership) is umask.

The old mechanism of inheriting owership of group is applying GID as you were doing above on this folder where the files are created.  If you do chmod g+s folder, any file in this folder will have the group of the folder rather than the process that created it.
0
 

Author Comment

by:Glen Gibb
Comment Utility
Hi, Experts,

Still no solutions?  I've tried the chmod g+s to my folder, but still a network client creates a file that has root as its owner, users as its group (read-only) and others w/ read-only access as well.  

Folder creation seems fine.

I want this as a public folder, where everyone can create, delete, and update files and folders!

Yes, I'm a victim of ignorance, but you are the Experts!

Help!

Capt
0
 
LVL 31

Accepted Solution

by:
farzanj earned 300 total points
Comment Utility
Is 'users' the group of the folder where this file is created?  If so, this is the expected behavior.

You can use filesystem ACLs at least to set the default permissions.

setfacl -m -d u::rwx /path/folder
setfacl -m -d g::rwx /path/folder
setfacl -m -d o::rwx /path/folder

Not good for security view point but at least would know what is going on.
0
 

Author Comment

by:Glen Gibb
Comment Utility
I'll give it a try.  Even from the server itself, although applying chmod -R a or g+rwx /public,
creating a new file gives read/write permissions to the owner, but the  group and other are read-only.

Strangely, Win boxes have no troubles at all with file creation.  Just Linux boxes produce this.
0
 

Author Comment

by:Glen Gibb
Comment Utility
setfacl: Option -m: Invalid argument near character 1

Can you tell me what happened here?
0
Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

 

Author Comment

by:Glen Gibb
Comment Utility
Removed the -d from the setfacl and it executed.
0
 

Author Comment

by:Glen Gibb
Comment Utility
No change.  Folders have rwx for owner, group and others.  New files and folders are rwx for owner.  Group and Others are read-only.
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
No, that changes the meaning.

Try:
setfacl -m d:u::rwx,d:g::rwx,d:o::rwx directory_name

Open in new window

0
 

Author Comment

by:Glen Gibb
Comment Utility
getfacl: Removing leading '/' from absolute path names
# file: media/Docs/geFiles
# owner: glen
# group: users
# flags: -s-
user::rwx
group::rwx
other::rwx
default:user::rwx
default:group::rwx
default:other::rwx

This sort of tells me my Linux user has rwx permissions.  But using Nautilus, no go.  Is Nautilus the culprit?
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
With these permissions, any file now created should be readable or writable by anyone.  You could also have implement based on groups only.  It would NOT change the user ownership tough.  User ownership will be the same as the process/program's user ownership.  If GID is set, then group ownership should be same as ownership of folder.
0
 

Author Comment

by:Glen Gibb
Comment Utility
Did the chmod g+s /...
Ran setfacl (as above).

Now file creation on the server works as hoped.  Files and folders have rwx for all.

However, on the Linux clients, no change.  Owner has rwx, g and o have r.
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
I do not understand what clients you are talking about.  What kind of client?  Samba clients?  If you are talking about Samba share, did you give writable a "yes".  In case of Samba, look at your share permissions.
0
 

Author Comment

by:Glen Gibb
Comment Utility
Just to illustrate, here's my smb.cnf for the public share:

[docs]
path = /media/Docs/geFiles
comment = Home network shared files
valid users = www-data glen glen@DevBox ftp smbguest capt steve proftpd
write list = www-data glen glen@DevBox proftpd ftp smbguest capt steve
admin users = www-data glen proftpd ftp root smbguest capt steve
force group = users
public = yes
available = yes
writable = yes
guest ok = yes
printable = yes
locking = yes
strict locking = no
browsable = yes
0
 
LVL 31

Expert Comment

by:farzanj
Comment Utility
What makes you think that the files are readonly?  Can you show what is read only?
0
 

Author Closing Comment

by:Glen Gibb
Comment Utility
Thanks, Experts.

I solved the problem by re-examining the shared file in Webmin.  Seems that the share had permissions for printers and files, and things were fairly complex.  I deleted the share, put the printers in /var/spool/samba and re-created the file share.

Works great.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

The purpose of this article is to show how we can create Linux Mint virtual machine using Oracle Virtual Box. To install Linux Mint we have to download the ISO file from its website i.e. http://www.linuxmint.com. Once you open the link you will see …
David Varnum recently wrote up his impressions of PRTG, based on a presentation by my colleague Christian at Tech Field Day at VMworld in Barcelona. Thanks David, for your detailed and honest evaluation!
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

728 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now