Documentation< Previous | Contents | Next >
Exercising Our Privileges
Now that we have learned how this permissions thing works, it's time to show it off. We are going to demonstrate the solution to a common problem — setting up a shared direc- tory. Let's imagine that we have two users named “bill” and “karen.” They both have mu- sic CD collections and wish to set up a shared directory, where they will each store their music files as Ogg Vorbis or MP3. User bill has access to superuser privileges via sudo.
The first thing that needs to happen is creating a group that will have both bill and karen as members. Using the graphical user management tool, bill creates a group called music and adds users bill and karen to it:
Figure 3: Creating A New Group With GNOME
Next, bill creates the directory for the music files:
[bill@linuxbox ~]$ sudo mkdir /usr/local/share/Music
Password:
[bill@linuxbox ~]$ sudo mkdir /usr/local/share/Music
Password:
Since bill is manipulating files outside his home directory, superuser privileges are re- quired. After the directory is created, it has the following ownerships and permissions:
[bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxr-xr-x 2 root root 4096 2016-03-21 18:05 /usr/local/share/Music
[bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxr-xr-x 2 root root 4096 2016-03-21 18:05 /usr/local/share/Music
As we can see, the directory is owned by root and has 755 permissions. To make this directory sharable, bill needs to change the group ownership and the group permissions to allow writing:
[bill@linuxbox ~]$ sudo chown :music /usr/local/share/Music [bill@linuxbox ~]$ sudo chmod 775 /usr/local/share/Music [bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxrwxr-x 2 root music 4096 2016-03-21 18:05 /usr/local/share/Music
[bill@linuxbox ~]$ sudo chown :music /usr/local/share/Music [bill@linuxbox ~]$ sudo chmod 775 /usr/local/share/Music [bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxrwxr-x 2 root music 4096 2016-03-21 18:05 /usr/local/share/Music
So what does this all mean? It means that we now have a directory,
/usr/local/share/Music that is owned by root and allows read and write ac- cess to group music. Group music has members bill and karen, thus bill and karen can create files in directory /usr/local/share/Music. Other users can list the contents of the directory but cannot create files there.
But we still have a problem. With the current permissions, files and directories created within the Music directory will have the normal permissions of the users bill and karen:
[bill@linuxbox ~]$ > /usr/local/share/Music/test_file
[bill@linuxbox ~]$ ls -l /usr/local/share/Music
-rw-r--r-- 1 bill bill 0 2016-03-24 20:03 test_file
[bill@linuxbox ~]$ > /usr/local/share/Music/test_file
[bill@linuxbox ~]$ ls -l /usr/local/share/Music
-rw-r--r-- 1 bill bill 0 2016-03-24 20:03 test_file
Actually there are two problems. First, the default umask on this system is 0022 which prevents group members from writing files belonging to other members of the group. This would not be a problem if the shared directory only contained files, but since this di- rectory will store music, and music is usually organized in a hierarchy of artists and al- bums, members of the group will need the ability to create files and directories inside di- rectories created by other members. We need to change the umask used by bill and karen to 0002 instead.
Second, each file and directory created by one member will be set to the primary group of the user rather than the group music. This can be fixed by setting the setgid bit on the directory:
[bill@linuxbox ~]$ sudo chmod g+s /usr/local/share/Music
[bill@linuxbox ~]$ sudo chmod g+s /usr/local/share/Music
Exercising Our Privileges
[bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxrwsr-x 2 root music 4096 2016-03-24 20:03 /usr/local/share/Music
[bill@linuxbox ~]$ ls -ld /usr/local/share/Music
drwxrwsr-x 2 root music 4096 2016-03-24 20:03 /usr/local/share/Music
Now we test to see if the new permissions fix the problem. bill sets his umask to 0002, removes the previous test file, and creates a new test file and directory:
[bill@linuxbox ~]$ umask 0002
[bill@linuxbox ~]$ rm /usr/local/share/Music/test_file [bill@linuxbox ~]$ > /usr/local/share/Music/test_file [bill@linuxbox ~]$ mkdir /usr/local/share/Music/test_dir [bill@linuxbox ~]$ ls -l /usr/local/share/Music
drwxrwsr-x 2 bill music 4096 2016-03-24 20:24 test_dir
-rw-rw-r-- 1 bill music 0 2016-03-24 20:22 test_file [bill@linuxbox ~]$
[bill@linuxbox ~]$ umask 0002
[bill@linuxbox ~]$ rm /usr/local/share/Music/test_file [bill@linuxbox ~]$ > /usr/local/share/Music/test_file [bill@linuxbox ~]$ mkdir /usr/local/share/Music/test_dir [bill@linuxbox ~]$ ls -l /usr/local/share/Music
drwxrwsr-x 2 bill music 4096 2016-03-24 20:24 test_dir
-rw-rw-r-- 1 bill music 0 2016-03-24 20:22 test_file [bill@linuxbox ~]$
Both files and directories are now created with the correct permissions to allow all mem- bers of the group music to create files and directories inside the Music directory.
The one remaining issue is umask. The necessary setting only lasts until the end of ses- sion and must be reset. In Chapter 11, we'll look at making the change to umask perma- nent.