1

I have created 3 users 'u1','u2','u3'. Now I want to provide access to u1's /home/u1/share directory users u2,u3.

I don't want to create a new common group named 'shared' and add 3 users there. Is it possible use 'u1' group itself ?

So far I tried 

#add u2,u3 to group of u1
usermod -a -G u1 u2
usermod -a -G u1 u3

#ensure u1 has group read access
chmod 750 /home/u1

#create new shared dirs
umask 027 && mkdir /home/u1/share

Though

ls -ld /home/u1/share
drwxr-x---. 2 u1 u1 4096 Apr 23 10:11 /home/u1/share

shows read access to group - User u2 can't access this directory.

[u2@ ~]$ ls -l /home/u1/share
ls: cannot access /home/u1/share: Permission denied

Any thoughts on this ? where I'm doing it wrong?

webminal.org
  • 273
  • 1
  • 5
  • 19
  • thanks logged and logged in solved the problem ! :) Please move this comment as an answer,so that it can help others too. – webminal.org Apr 23 '13 at 08:05

2 Answers2

3

You need ACLs to solve the permission problem. You have to give all respective directories group write access and have to set default ACLs for them (in case the users shall be able to create subdirectories):

setfacl -d -m g:u1:rwx "$directory"

or instead

setfacl -d -m g::rwx "$directory"

if you ensure via SGID bit that a newly created subdirectory belongs to the same group.

I do not consider your decision not to create a new group a good idea.

Hauke Laging
  • 5,285
  • 2
  • 24
  • 40
  • thanks for the solution. My above steps worked,when I re-login as 'u2'. I understand it will be security risky for 'u1' to use 'u1' group but I'll inform 'u1' about the risk :) .May be tell him to have 'umask 077' in his bashrc file. Thus he has to change any permission manually to share with others. – webminal.org Apr 23 '13 at 08:09
  • @lakshmipathi The login makes user u2 part of group u1 and thus gives u2 read and execute access in your example (due to the umask value at the time of mkdir) but it does not give write access to u2. – Hauke Laging Apr 23 '13 at 08:25
  • Yes,u2 now part of two groups, 'u1' and 'u2'. I think that should be fine. 'u1' can decide whether to provide write-access an directory basis. – webminal.org Apr 23 '13 at 08:45
3

What you've done should be fine, but has user u2 logged out and in again since you ran the usermod? Group memberships are only picked up at login time.

Doing an id -a for u2 can also help confirm whether or not that particular u2 shell is in group u1, or not.

For what it's worth, although I disagree with Hauke about ACLs (they certainly aren't needed in this case, because as you've shown it can be done with groups; I find ACLs are hardly ever really needed, and such an incredible pain even on the odd occasion they are, that I normally advise people to change their requirements instead), I agree that this is a perfect case for a new, custom group.

MadHatter
  • 79,770
  • 20
  • 184
  • 232
  • I am curious how you give the users write access to newly created directories and files without demanding from them (that's always the best approach...) to care about that themselves. {cron,find,chmod}? {FAM,chmod}? ACLs are great after having spent one day to become friends with them. I am happy that we are moving to richacl now. :-) – Hauke Laging Apr 23 '13 at 08:29
  • The combination of `chmod g+t` and changing the users' `umask`s usually works for me. – MadHatter Apr 23 '13 at 08:41