I need help understanding how giving write permission to a group, works in Ubuntu. I am logged in as root and have a www-data:www-data and ftpuser:ftpuser (user:group). I add the ftpuser into the www-data group using:
usermod -a -G www-data ftpuserNow my www-data group has two users.
I then make the group www-data, owner of the folder /var/www using:
chgrp -R www-data /var/wwwStill i have no write ability to the folder by a group member (though the group owns it) unless i give write permissions to the group. Now according to this best answer i also need to set the permissions to the directory using sudo chmod -R 770 /path/to/the/directory and this is what confuses me.
If a user is the owner of a directory why can't he write to it?
Can a user of a group give the group write permissions to a folder owned by the group himself?
Where is the group defined in the command sudo chmod -R 770 /path/to/the/directory ? Won't this give recursive permissions to all users?
2 Answers
though the group owns it
No, group does not own a file in a sense that the permissions for owner apply. Owner permissions apply only to owner - the user; and group permissions apply to the assigned group.
If a user is the owner of a directory why can't he write to it?
He can, except that ftpuser in your case is not the owner.
Most likely, because you don't say it explicitly: root or www-data is the owner /var/www of the file, and ftpuser is a member of the group www-data.
Even if the user www-data and the group www-data have the same name, they are different entities for the operating system.
Can a user of a group give the group write permissions to a folder owned by the group himself?
Again: folder is not owned by a group. If the group has write-permission, any member of the group can change the permissions to the object.
Where is the group defined in the command
sudo chmod -R 770 /path/to/the/directory
The second 7 refers to the group permissions (7 is a combination of read, write, and execute).
Won't this give recursive permissions to all users?
It will assign (recursively):
read,write, andexecutefor the owner (first7)read,write, andexecutefor the group (second7)- no permissions for other users (last
0)
Directory shared by group with write permissions for existing files
All users should be a members of a group www-data. You can add them using
usermod -a -G www-data user1
usermod -a -G www-data user2
...
Giving a group www-data a write permission to a folder and all containing files could be achieved with the series of commands:
chgrp -R www-data /var/www
chmod -R g+ws /var/www
All new files and directories will have assigned group www-data and will be writable by member of the group.
Permissions for new files
Default umask on most Linux systems is 022 meaning if user1 creates a file or directory under /var/www that file becomes "editable" only by user1, but readable by group www-data.
If this is expected behavior you should stop here.
Directory shared by group with write permission
You should verify whether extended ACL are enabled on your system. You may look at /etc/fstab and look for something like this:/dev/sda5 / ext4 acl,.....Having this checked you need to provide an extended ACL parameters for directories.
You will add ACL to allow new files created under /var/www folder to be also writable ty www-data group using this command:
setfacl -R -b -k -d -m g:www-data:rwx --mask $2
In this senario if a user1 creates a file or folder under /var/www user2 will be able to write/delete.
Every new file or directory will have permissions rw-rw-???. Question marks will be something that you set for the others.
How to verify permissions
Use this command:
getfacl /var/www
The output should be something like this:
# file: /var/www
# owner: www-data
# group: www-data
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:www-data:rwx
default:mask::rwx
default:other::---
Default permissions for folder /var/www are: drwxrws---
1
