Newbie understanding group permissions - Help

This is a discussion on Newbie understanding group permissions - Help ; I'm trying to setup a directory where users can publish there docs on a webserver. I want the users to be able to add there own files but not delete other's files. I created the directory: sudo mkdir -m 775 ...

+ Reply to Thread
Results 1 to 4 of 4

Thread: Newbie understanding group permissions

  1. Newbie understanding group permissions

    I'm trying to setup a directory where users can publish there docs on a
    webserver. I want the users to be able to add there own files but not
    delete other's files.

    I created the directory:

    sudo mkdir -m 775 /mnt/userdata/www

    I then change the owner/group to apache.apache:

    sudo chown apache.apache /mnt/userdata/www

    Next I assigned the apache group to the users I want publish:
    [wlott@homebase ~]$ cat /etc/group | grep apache

    apache:x:73:woodylott,wlott

    I thought I was done, but when I attempt to write in the directoy, I get
    permission denied:

    [wlott@homebase ~]$ touch /mnt/userdata/www/test
    touch: cannot touch `/mnt/userdata/www/test': Permission denied

    What am I missing here?

    Thanks,
    Woody

  2. Re: Newbie understanding group permissions

    In article , Woody wrote:

    >I'm trying to setup a directory where users can publish there docs on a
    >webserver. I want the users to be able to add there own files but not
    >delete other's files.


    OK

    >I then change the owner/group to apache.apache:


    OK - I can see the problem coming

    >Next I assigned the apache group to the users I want publish:
    >[wlott@homebase ~]$ cat /etc/group | grep apache
    >
    >apache:x:73:woodylott,wlott


    Yes

    >I thought I was done, but when I attempt to write in the directoy, I get
    >permission denied:
    >
    >[wlott@homebase ~]$ touch /mnt/userdata/www/test
    >touch: cannot touch `/mnt/userdata/www/test': Permission denied


    [compton ~]$ whatis newgrp
    newgrp (1) - log in to a new group
    [compton ~]$

    If you look _now_ at what group you belong to, you'll find you are
    in your primary group (the one you set in /etc/passwd). You need to
    run the 'newgrp' command to become an _active_ member of the apache
    group at this time. Use the 'id' command to see what group you belong
    to now.

    [compton ~]$ id
    uid=219(ibuprofin) gid=100(users) groups=100(users)
    [compton ~]$

    Old guy


  3. Re: Newbie understanding group permissions

    ibuprofin@painkiller.example.tld (Moe Trin) wrote in
    news:slrnd2cnl2.b77.ibuprofin@compton.phx.az.us:

    > In article , Woody
    > wrote:
    >
    >>I'm trying to setup a directory where users can publish there docs on
    >>a webserver. I want the users to be able to add there own files but
    >>not delete other's files.

    >
    > OK
    >
    >>I then change the owner/group to apache.apache:

    >
    > OK - I can see the problem coming
    >
    >>Next I assigned the apache group to the users I want publish:
    >>[wlott@homebase ~]$ cat /etc/group | grep apache
    >>
    >>apache:x:73:woodylott,wlott

    >
    > Yes
    >
    >>I thought I was done, but when I attempt to write in the directoy, I
    >>get permission denied:
    >>
    >>[wlott@homebase ~]$ touch /mnt/userdata/www/test
    >>touch: cannot touch `/mnt/userdata/www/test': Permission denied

    >
    > [compton ~]$ whatis newgrp
    > newgrp (1) - log in to a new group
    > [compton ~]$
    >
    > If you look _now_ at what group you belong to, you'll find you are
    > in your primary group (the one you set in /etc/passwd). You need to
    > run the 'newgrp' command to become an _active_ member of the apache
    > group at this time. Use the 'id' command to see what group you
    > belong to now.
    >
    > [compton ~]$ id
    > uid=219(ibuprofin) gid=100(users) groups=100(users)
    > [compton ~]$
    >
    > Old guy
    >
    >


    Okay, here's what I did:

    [wlott@homebase ~]$ id
    uid=500(wlott) gid=500(wlott) groups=500(wlott)

    [wlott@homebase ~]$ newgrp apache

    [wlott@homebase ~]$ id
    uid=500(wlott) gid=73(apache) groups=73(apache),500(wlott)

    [wlott@homebase ~]$ touch /mnt/userdata/www/test

    So, now I can write there. So, everytime I want to assume role as member
    of a secondary group, I have to run newgrp? Is it common to put that in a
    script?

    Thanks,
    Woody

  4. Re: Newbie understanding group permissions

    In article , Woody wrote:

    >[wlott@homebase ~]$ id
    >uid=500(wlott) gid=500(wlott) groups=500(wlott)


    Oh, wonderful - another distribution with a bizarre idea of group
    membership. I think Red Hat started that in Linux back in 1996.
    Normally in Unix, you would belong to one (or more) groups, such as
    'users' or 'devel' or 'students' or some such. This would give you access
    to other files/directories/services that have group permissions. Red Hat
    decided to put each user in their own group, effectively canceling
    the functionality of such groups. Some Unix also pull this, as it does
    increase security, but it also makes sharing stuff much harder.

    >[wlott@homebase ~]$ newgrp apache
    >
    >[wlott@homebase ~]$ id
    >uid=500(wlott) gid=73(apache) groups=73(apache),500(wlott)


    Now, your primary group is 'apache' and your secondary group is 'wlott'.

    >So, now I can write there. So, everytime I want to assume role as member
    >of a secondary group, I have to run newgrp? Is it common to put that in a
    >script?


    A lot depends on your distribution, and how it's configured. Many Unix now
    read /etc/passwd and /etc/group when you log in, and make you a member of
    all groups you are listed in. This was an improvement over the original
    Bell Labs/AT&T/SystemV behavior of 'one group at a time'. Remember that
    if you are in a chroot'ed environment, this may refer to the "real"
    /etc/passwd and /etc/group OR the usually much more restrictive files
    in the chroot'ed /etc/ directory.

    Old guy


+ Reply to Thread