Hello.
I need some help to create a shared folder.
A group 'publicuser' has been created.
A user 'publicuser' has been created ( no login, no home) and belongs to group 'publicuser'.
A public folder '/doc' has been created and owner is publicuser:publicuser.
All users belonging to group 'publicuser' can create folder under'/doc'.
All users belonging to group 'publicuser' can create folder in other user's folder as far as they reside under '/doc'. User's folder are just non private folders.
All users belonging to group 'publicuser' can read, write, modify any type of files everywhere Independently of whom is the owner, as far as they reside under '/doc'.
Only owner can delete objects.
File cannot be executed.
I have try this piece of code, but I cannot go thru folders.
# ---
# step 4 CREATE PUBLIC FOLDER
# ---
for A_PUB_FOLDER in "$PUB_GOUPS" ; do
if [[ "$A_PUB_FOLDER" == "/" ]] ; then
echo "ERROR - THIS PUBLIC FOLDER IS NOT DEFINED : \"$A_PUB_FOLDER\" "
echo "EXITING ..."
exit $E_BAD_PARAM
fi
#
echo
echo "--------------------------"
echo "Doing : $A_PUB_FOLDER"
echo "--------------------------"
echo
#
#
# Remove acl
#
CMD="setfacl -b $A_PUB_FOLDER" #//remove acl
echo "COMMAND : $CMD"
${CMD}
#
mkdir -pv $A_PUB_FOLDER
chmod -v +t $A_PUB_FOLDER #//set sticky bit
chmod -v +x $A_PUB_FOLDER #//set execute bit
#
chown -Rv publicuser:publicuser $A_PUB_FOLDER
#
setfacl -R -m u::rw- $A_PUB_FOLDER #//set user to rw-
setfacl -R -m g::r-- $A_PUB_FOLDER #//set group to r--
setfacl -R -m g:publicuser:rw- $A_PUB_FOLDER #//set group publicuser to rw-
setfacl -R -m o::--- $A_PUB_FOLDER #//set other to ---
# Set default
setfacl -R -d -m u::rw- $A_PUB_FOLDER #//set user rw- default
setfacl -R -d -m o::--- $A_PUB_FOLDER #//set other --- default
setfacl -R -d -m g::r-- $A_PUB_FOLDER #//set group to r-- default
setfacl -R -d -m g:publicuser:rw- $A_PUB_FOLDER #//set group publicuser to rw- default
#
done
#
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.
After logout and log in again, It is not possible to edit files that you don't own yourself with vi or kate.
I suppose because the effective mask is r--
Any help is welcome
---------- Post updated at 18:50 ---------- Previous update was at 18:28 ----------
I have read that it is possible to define a mask.
I have a try and give news.
---------- Post updated at 20:35 ---------- Previous update was at 18:50 ----------
Have set mask
setfacl -R -m u::rwx $A_PUB_FOLDER #//set user to rwx
setfacl -R -m g::--- $A_PUB_FOLDER #//set group to ---
setfacl -R -m o::--- $A_PUB_FOLDER #//set other to ---
setfacl -R -m g:publicuser:rwx /$A_PUB_FOLDER #//set group publicuser to rwx
# Set default
setfacl -R -d -m u::rwx $A_PUB_FOLDER #//set user rwx default
setfacl -R -d -m o::--- $A_PUB_FOLDER #//set other --- default
setfacl -R -d -m g::--- $A_PUB_FOLDER #//set group --- default
setfacl -R -d -m g:publicuser:rwx /$A_PUB_FOLDER #//set group publicuser to rwx default
# set mask
setfacl -R -m m::rwx $A_PUB_FOLDER #//set mask to rwx
setfacl -R -d m::rwx $A_PUB_FOLDER #//set mask to rwx default
#
Nothing new.
OK ==> user not in group publicuser cannot access folders owned by publicuser.
OK ==> user in group publicuser can create/edit files they owned in any folders owned by publicuser.
bad ==> A user (belonging to publicuser) in it's own folder cannot edit files created by other users (belonging to group publicuser).
bad ==> until A user (belonging to publicuser)edit bor create a file, the file mask return to r--
For the moment it is on a simple linux multi-user box.
As said at post #1
You can 't do that with just chmod. You need ACL.
Everybody can do any action in the folder /doc ( or any sub-folders). But in that folder ( or sub-folders ) they may not delete any object they do not owned.
You can do that with just chmod, ACL's not needed. Set the folder U+S, just like they do on /tmp/, and you will only be able to delete your own files. G+S has a different meaning, it forces the group of created files to be the same group as the directory.
As I have already said that does not do what I want
Using G+S in PUBLIC SHARED FOLDER
a) deletion of not owned files forbidden : OK
b) creation in user's folder : OK
c) creation in other user's folder : OK
d) editing files owned by others in its own user's folder : KO access denied
d) editing files owned by others in any other folder ( owned or not owned ) : KO access denied
files are marked as
user::rw-
group::r--
other::r--
My test script in pseudo code :
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod u+s $( find $A_PUB_FOLDER -type d )
test script : acl_sample_11.sh
see details : SUSE Paste
su to root
for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
chmod -v 0770 $( find $A_PUB_FOLDER -type d )
chmod -v u+s $( find $A_PUB_FOLDER -type d )
step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
step 5-a create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
step 5-b
chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
chmod -v 0770 $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
chmod -v u+s $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
step 7-a
create sub folder $A_PUB_FOLDER/$A_USER
step 7-b
chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
chmod -v 0770 $( find $A_PUB_FOLDER/$A_USER -type d )
chmod -v u+s $( find $A_PUB_FOLDER/$A_USER -type d )
step 8
step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
step 8-a as user2 create test file in $A_PUB_FOLDER/user1
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )
test script : acl_sample_10.sh
see details : SUSE Paste
su to root
for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
chmod -v 1770 $( find $A_PUB_FOLDER -type d )
step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
step 5-a create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
step 5-b
chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
step 7-a
create sub folder $A_PUB_FOLDER/$A_USER
step 7-b
chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 8
step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
step 8-c as user2 ; create test file in $A_PUB_FOLDER/user1
The mode of a directory (whether set by chmod or by setting an ACL) controls who can create files in that directory, remove files from that directory, and search for files in that directory. It has absolutely nothing to do with who can read or write a file that happens to be located in that directory.
If you want to let a large group of people edit a file, set the mode of that file to allow all of those people to edit it (either by creating a group containing those people's userIDs and making the file writeable by that group or by creating an ACL for that file that grants all of those people's userIDs write permission).
Well, that would be your problem. The group and other flags define whether the files can be read/written/executed by same group or others. Leaving them at r-- all the time guarantees they'll never be writable to anyone but their owners.
Make the file group-writable and others in the group will be able to write to it. etc.
That exactly what I try to do (see #1 ).
I have created a group which name is publicuser. Every people in that group can do any actions but cannot delete files that they do not owned.
I have created a partition which is public for people in group public user. Others are exclude.
But I failed to make it running the way I want.
---------- Post updated at 19:48 ---------- Previous update was at 19:32 ----------
I have try what you and jim suggest to me.
I have not set any things to r--.
No, this is not what you have done! You have to make the REGULAR FILES you want to edit writeable by group publicuser . All that any of the stuff you have shown us does is modify the permissions on the DIRECTORY or DIRECTORIES that contain your files. All of the commands you have shown us so far use:
find ... -type d ...
and type d only works on directories; not on regular files.
If you want regular files to be editable by everyone in group publicuser , in addition to what you have already done with the directions, the mode on those files need to be something like 660 AND they must have groupID publicuser .
To make the regular files in a file hierarchy rooted in the current directory have groupID publicuser , you need root or the current owner of those files to set the groupID of those files to publicuser and set the mode of those files to allow the owner and the group to have read and write permission:
To summarize the last few weeks of confusion and argument:
Directory permissions who is allowed to create and delete which files where. The special U+S bit on a directory prevents people from deleting someone else's files.
The permissions on the files themselves determine who is able to edit them.
No amount of fancy ACL's on the directory they're inside will permit you to edit files set 000.
Use the permissions on the directory to control who's allowed to create files and who's allowed to delete files.
Use file permissions to control who's allowed to edit files.
Use umask to ensure files are created with the correct permissions. This is a user setting, not a file setting. I'm not sure what, if any equivalent there is for ACL's.
Ok that works using ACL.
Here the full procedure I have used.
Goal : In folders defined as "PUBLIC" for users in group "publicuser', any users can do anythings but cannot delete objects they do not own.
[*]1st Step :
[*]Creation of initial group, user and folders
Create group publicuser
Create user publicuser (no login user), user_test1, user_test2
[*]Add publicuser, user_test1, user_test2 to group publicuser
Create a new folder :
[*]mkdir -p /d_pub_folder
[*]chown publicuser:publicuser /d_pub_folder
Create sub-folder for each regular user
[*]mkdir -p /d_pub_folder/user_test1
[*]chown user_test1:publicuser /d_pub_folder/user_test1
[*]mkdir -p /d_pub_folder/user_test2
[*]chown user_test2:publicuser /d_pub_folder/user_test2
Set properties on new folders
[*]chmod -R 770 /d_pub_folder
[*]chmod -R g+s /d_pub_folder
[*]chmod -R +t /d_pub_folder
Set ACL on new folders
#set user to rwx, group to ---, group publicuser to rwx,other to ---
[*]setfacl -R -m u::rwx,g::---,g:publicuser:rwx,o:--- /d_pub_folder
#set default : user to rwx, group to ---, group publicuser to rwx,other to ---
[*]setfacl -R -d -m u::rwx,g::---,g:publicuser:rwx,o:--- /d_pub_folder
[*]2nd Step :
Files creation Create new files owned by each user in their respective folder
[*]su to user_test1
[*]echo "Create by user_test1 in user_test1's folder" > /d_pub_folder/user_test1/testfile_1.txt
[*]su to user_test2
[*]echo "Create by user_test2 in user_test2's folder" > /d_pub_folder/user_test2/testfile_2.txt
Create new files own by user_test2 in user_test1's folder
[*]echo "Create by user_test2 in user_test1's folder" > /d_pub_folder/user_test1/testfile_4.txt
[*]3rd Step : ACL Check from a "public" folder /d_pub_folder/....
[*]1�) OK : any user can create a file in it's own folder
[*]2�) OK : any user can create a file in folder owned by others
[*]3�) OK : any user can modify a file they owned in folder owned by others
[*]4�) OK : any user cannot delete a file they do not owned any where
[*]5�) OK : any user can modify a file they do not owned using vi in a terminal emulator (Konsole)
What does not work :
[*] 6�) FAILED : any user cannot modify a file they do not owned using KATE or KWRITE in graphical session.
For linux user using KDE, for the moment there is in a problem to modify a file which you are not the owner.
From Opensuse people :
A bug report has been reported to KDE.
Anyway thank you everybody for taking your time to help me.
Despite the problem with Kate or Kwrite, I mark this thread solve.
Site administrator are free to remove the tag if necessary.