Best Practise to Setup a Shared Directory

Dear Group,

I know this subject has been beaten to death. :frowning: I’ve read the conversations and threads. Some of them advise the use of using useradd, to add users to a group. I dont think I can use this as I already have users on my system.

We access our shared Linux folders from Windows. Our users complain they cant access documents or create folders, via Windows Explorer, in the Linux shared folder when someone else creates it. For example, if user A creates a folder (say folder abc) in the shared Linux directory (via Windows Explorer or within Linux itself), user B cannot create anything in folder abc unless the admin issues this command:

chmod -R 2777 /home/myproj/ where myproj is the base folder.

I thought setting this permission once is adequate but I find out it is not. It has to be issued every time someone creates a new folder so that others can create or modify files in them.

Surely there must be an easier way to create shared folders in Linux. :confused: Can someone please point out some documentation that I can refer to or some tips on how to implement this?

Thanking you in advance.
Regards,
Kenneth.

On 06/29/2014 10:24 PM, intecperict wrote:[color=blue]

I know this subject has been beaten to death. :frowning: I’ve read the
conversations and threads. Some of them advise the use of using useradd,
to add users to a group. I dont think I can use this as I already have
users on my system.[/color]

I do not understand. You can add groups to existing system at any time,
and you can add users to new groups at any time, and those should still
work. In essence this is what you’ll need to do with the option you’re
proposing below by using the SGID bit, though your steps below are incomplete.
[color=blue]

We access our shared Linux folders from Windows. Our users complain they[/color]

Using which protocol? NFS? SMB? SFTP/SCP? FTPS/FTP?
[color=blue]

cant access documents or create folders, via Windows Explorer, in the
Linux shared folder when someone else creates it. For example, if user A
creates a folder (say folder abc) in the shared Linux directory (via
Windows Explorer or within Linux itself), user B cannot create anything
in folder abc unless the admin issues this command:

chmod -R 2777 /home/myproj/ where myproj is the base
folder.[/color]

This command states: Set all permissions in /home/myproj to be readable,
writable, and executable by anybody, and also set the SGID bet all over
the place. In my opinion, the ‘777’ portion of this is a bad idea, but it
is probably also the reason things work until you create new stuff (that
does not make it good… it just means you’re exploiting weak permissions
to your own benefit).

The SGID bit’s purpose is to help in your kind of scenario. To make it
work the SGID bit must be set (‘2’ as the first of four octets, as you
have it above) and then the group-owner of the directories must be the
group-owner you intend to stick around for everything within. For a new
install, this works well since when you first start all you have is the
new directory and everything created within will be created after the SGID
bit is set, so everything within will have the same group-owner. For an
existing directory structure you need to be sure that the group-owner of
everything is set correctly first or else the SGID functionality will
continue to do what it does best, which is to set the group-owner to
whatever value is set on the directory containing the new file/directory.
In summary, if you do not have all of your content within /home/myproj
set to be group-owned by the correct group (the one to which everybody
appropriate belongs), then fix that with ‘chgrp’:

Code:

chgrp -R correctGroupHere /home/myproj

[color=blue]

I thought setting this permission once is adequate but I find out it is
not. It has to be issued every time someone creates a new folder so that
others can create or modify files in them.[/color]

Another option is that perhaps your umask is incorrect, which your ‘chown’
command is “fixing” for you over and over. If your umask is the default
0022, then any files/directories created will not be writable by the
group-owner, but will only be readable. If this is the case you need to
help users change their default umask so that when they create
files/directories they do so with the correct permissions allowing other
group-members to have rights to the new content. A directory will
normally be created granting the group-owner access to read/execute (list
files of, and browse into, the directory, but not create) and read (not
write) files. A umask of 0002 (or 000-anything) would fix this.


Good luck.

If you find this post helpful and are logged into the web interface,
show your appreciation and click on the star below…

Hi Kenneth,

in addition to ab’s answer I’d like to point out that your chmod command is actually very far from perfect:

This will set every file in that folder (and sub-folders) executable and even make it “sticky user-id” - if someone sneaked in an actual binary, then once this chmod ran, someone on that Linux machine might trip that code and cause nasty side effects, depending on the owning group of that file and the nature of the included binary.

What was probably intended was to set the sticky group bit on the directory (and possible sub-directories). Lookup “find /home/myproj/ -type d” together with the “-exec” option to get a more proper result.

Some of them advise the use of using useradd, to add users to a group

…which is either wrong advice, or out of context: You can use “useradd” to add users and while doing so, add them to groups. “usermod -G” looks more like the command of choice for your task (getting existing users into specific groups).

In addition, in case of sharing that folder via SMB, the “force group” parameter for that specific share will be your friend. Have a detailed look at the “+group” syntax (man smb.conf), which might be really helpful in your specific case.

Regards,
Jens

and even make it “sticky user-id” […] depending on the owning group of that file"

of course that should have been “sticky group-id”…

Regards,
Jens