How to set default file permissions for all folders/files in a directory?

Question

I want to set a folder such that anything created within it (directories, files) inherit default permissions and group.

Lets call the group "media". And also, the folders/files created within the directory should have g+rw automatically.

Isn't that controlled by the user creating the new file/folder, and his umask? — Wadih M., Aug 27 '10 at 15:02
umask does relate to permissions but I do not believe it does anything with setting a default group that is not the user him/herself. — Chris, Aug 27 '10 at 15:31
What OS? Tags needed. setfacl and default ACLs don't exist on AIX. — Amit Naidu, Apr 25 '13 at 04:50

score 395 · Accepted Answer · edited May 01 '21 at 18:20

395

I found it: Applying default permissions

From the article:

Set the setgid bit, so that files/folder under <directory> will be created with the same group as <directory>
```
chmod g+s <directory>
```

Set the default ACLs for the group and other

setfacl -d -m g::rwx /<directory>
setfacl -d -m o::rx /<directory>

Next we can verify:

getfacl /<directory>

Output:

# file: ../<directory>/
# owner: <user>
# group: media
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r-x

edited May 01 '21 at 18:20

αғsнιη

41,407

answered Aug 27 '10 at 13:52

Chris

8,540
5
23
18

5

Yay for the sticky bit! – gabe. Aug 27 '10 at 15:11
41

Lets not confuse gid with sticky bit. – Amit Naidu Apr 25 '13 at 04:51
1

Why is the chmod g+s needed? Running a test in /tmp I seem to only need setfacl -d -m o::rx – Vincent Scheib Apr 30 '13 at 20:17
12

g+s will ensure that new content in the directory will inherit the group ownership. setfacl only changes the chmod, in your case sets the permission to o=rx – Steen Schütt Feb 12 '14 at 12:28
13

Note that ACL must be enabled (included as one of the mount options for the mounted file system) for the file permissions to be inherited. – sg23 Oct 21 '14 at 19:29
3

@gabe s stands for set-user-ID or set-group-ID, t is the sticky bit. – MaxChinni Nov 04 '14 at 14:29
An alternative way to achieve a similar result without setting sticky bit would be setfacl -d -m g:<directory group>:rwx <directory>. That way files created under will be rw by members of 's group. – IanB Apr 24 '15 at 00:25
What do I do if I receive the following error: command not found: setfacl – Ralph David Abernathy Aug 18 '15 at 20:07
1

@RalphDavidAbernathy: does sudo apt-get install acl resolves the problem? – willeM_ Van Onsem Aug 25 '15 at 15:43
Make all new files in a directory accessible to a group has a more detailed answer about setting up ACLs for this case. – Mark Stosberg Sep 28 '15 at 19:24
I found here nice tutorial about ACL – marioosh Feb 06 '17 at 13:34
45

You might want to consider using 'X' instead so it will only set execute permission on directories not files setfacl -d -m g::rwX /<directory> – Adrian Gunawan Aug 31 '17 at 00:50
If your on Debian to run “setfacl” you need to make sure that “acl” (https://wiki.debian.org/Permissions) is intalled. To install use “apt-get install acl”. Use “sudo apt-get install acl” if needed. – Leviscus Tempris Feb 21 '19 at 22:27
1

Nice one! Just want to add if you want to completely remove perms for others like 640, should do: setfacl -d -m o::- /<dir> – Payam Apr 10 '19 at 19:37
Where do the leading slashes in /<directory> come from? – ebk Jul 10 '20 at 02:40
where is the documentation that says capital X is for directories only? – Arrow_Raider Sep 08 '20 at 19:09
@Arrow_Raider under "man setfacl", in ACL ENTRIES section, last paragraph. – DrLightman Dec 12 '20 at 11:45
1

this is not supposed to work for new files created in previously created directory inside the main directory, right? It's not working for me. It works for new files created right inside the main directory. How to apply this thing recursively? – DrLightman Dec 12 '20 at 11:47
setfacl is do longer installed in ubuntu 20.02 by default - install it using apt install acl – Abraham Brookes Jul 03 '22 at 12:40

score 48 · Answer 2 · edited Jun 10 '21 at 12:22

This is an addition to Chris' answer, it's based on my experience on my Arch Linux rig.

Using the default switch (-d) and the modify switch (-m) will only modify the default permissions but leave the existing ones intact:

setfacl -d -m g::rwx /<directory>

If you want to change folder's entire permission structure including the existing ones (you'll have to do an extra line and make it recursive with -R):

setfacl -R -m g::rwx /<directory>

Examples:

# Gives group read,write,exec permissions for currently existing files and
# folders, recursively.
setfacl -R -m g::rwx /home/limited.users/directory
Revokes read and write permission for everyone else in existing folder and
subfolders.
setfacl -R -m o::x /home/limited.users/directory
Gives group rwx permissions by default, recursively.
setfacl -R -d -m g::rwx /home/limited.users/directory
Revokes read, write and execute permissions for everyone else.
setfacl -R -d -m o::--- /home/limited.users/directory

(CREDIT to markdwite in comments for the syntax of the revoke all privileges line)

To revoke group privileges (as an example): sudo setfacl -d -m g::--- /path — markdwhite, Jan 26 '17 at 08:53
is that just a typo specifying setfacl -R -m g::rwx /<directory> twice in your answer? — Shane Rowatt, Sep 02 '17 at 11:05

Abdul Rehman · Answer 3 · 2019-06-18T15:43:15.900

Add yourself/logged user to www-data group, so we can work with files created by www-data server

sudo usermod -a -G www-data $USER

Needs to restart/relogin so the newly added group takes effect

cd /var/www

Add www-data as group member of html folder, and your user as owner, so we own it as well as a group member

sudo chown -R $USER:www-data html

Put your username in place of USER

Set read,write,execute permission as required, (ugo) u=user, g=group, o=others

sudo chmod 750 html

Set the GID of html, now, newly created files in html will inherit ownership permissions:

sudo chmod g+s html

This creates the default rules for newly created files/dirs within the html directory and sub directories.

sudo setfacl -R -d -m u::rwX -m g::rX -m o::000 html

Make SELinux if installed, ignore www-data context requirement so it lets allows write permissions

sudo setsebool -P httpd_unified 1

list directory to see new permissions applied

ls -ld html

Returns this

drwxrwsr-x+   3 html www-data

The trailing + signify that ACL, Access Control List, is set on the directory.

Reference: Link to forum

score 0 · Answer 4 · answered Oct 09 '21 at 17:29

0

Above answer doesn't updates executable permissions, though they show so. Use chacl -r u::rwx,g::r-x,o::r-- ./

answered Oct 09 '21 at 17:29

Prashant K

1

score -3 · Answer 5 · edited Jul 13 '17 at 15:21

-3

Using the following command you can set default permission to a file:

chacl -R filename

edited Jul 13 '17 at 15:21

Michael Mrozek

93,103
40
240
233

answered Jul 13 '17 at 09:11

user240513

7

3

How this differ from other answers? And give some examples – Romeo Ninov Jul 13 '17 at 09:21
5

Are you sure that's what it does? https://linux.die.net/man/1/chacl indicates that it will remove an ACL. – Jeff Schaller Jul 13 '17 at 10:26

How to set default file permissions for all folders/files in a directory?

5 Answers5

Revokes read and write permission for everyone else in existing folder and

subfolders.

Gives group rwx permissions by default, recursively.

Revokes read, write and execute permissions for everyone else.

Linked

Related