Auto set write permission for a group

Question

I want to create a directory where multiple users will be able to contribute to the same files and I want each file that any user creates to have write permission by default for everyone in the group.

I did setgid for a directory and all new files have the right group. However new files are still created without write permissions in the group.

Here is an illustration of what I'm trying to do:

(as a root user):

mkdir --mode=u+rwx,g+rws,o-rwx /tmp/mydir
chown root.mygroup /tmp/mydir
touch /tmp/mydir/test.txt

Then when I do ls -la /tmp/mydir/ I'm getting

drwxrws---  2 root    mygroup    4096 Sep 12 12:04 .
drwxrwxrwt 11 root    root       4096 Sep 12 12:04 ..
-rw-r--r--  1 root    mygroup    0    Sep 12 12:03 test.txt

So, write permission never gets populated for a group for all new files authored by members of that group. I understand that other group users still can override that by doing chmod g+w for specific files such as test.txt in the example above and this is the right behavior in most of the cases, but is there a way to recursively alter that for a specific directory and allow write permissions to be automatically set for a group as well as the owner for all new files within that dir?

Answer 1

Default permissions for new files and folder are determined by umask. If you configure the default umask for your users to 002, group permission will be set to rw for new files and folders. Configuring umask for all users can be done using pam_umask.

To use pam_umask, on Debian based distributions you should configure the module in /etc/pam.d/common-session by appending following to the end of the file:

 session optional   pam_umask.so

Then configure the desired umask value in /etc/login.defs.

Note that the mask configured using PAM isn't applied to all Gnome applications (for details, see How to set umask for the entire gnome session). However sessions launched from ssh or tty are not affected.

If you do not want to alter the default umask on your system, you can use POSIX Access Control Lists. When ACL is set for a directory, new files inherit the default ACL. ACLs can be set and modified using setfacl and getfacl respectively. Some file systems might need additional mount flag to enable ACLs.