How to interpret group permission?

Question

My current understanding is when a user A creates a file F, this user becomes the file owner, and can also set a permission for whatever group this user would end up being in.

So when user A is in group G, every single member of G would have the permission user A initially set up for file F. Same goes for group G1, G2..... of which A is a member.

But A could not possibly foresee who will be in the same group he or she would be in also, and what kind of group he would be placed into, a predetermined permission seems risky, even though it can be changed. so my understanding seems very naive.

Really appreciate anyone's help.

This is where you have to trust your system's administrators to manage the groups correctly. Unfortunately, I've seen cases, especially when joined to Active Directory, where a single group contains every user and this is the default group. Usually this happens when Windows admins are designing AD and Linux admin have to live with the results. — doneal24, Aug 11 '18 at 18:11

Kefka · Answer 1 · 2018-08-11T15:33:21.297

On most Linuxes, at least as the out of the box default, a user's primary group is the same as their username, so this wouldn't be a problem since the group ownership of a new file would be for a group that no one will ever be in.

When servers are configured for new users to have a primary group that is shared, then we have the umask environmental variable to prevent any problems. This is what sets the default permissions of new files, and can be set per user. So user A might set his umask to 077, and then any new files he creates will have permissons of 700, meaning group members won't be able to do anything with it.

To expand on this a little, your umask is normally set as part of your initialization script - that is, the scripts that run when you log into a user account. You have two sets - your global profile script, which is most commonly /etc/profile or /etc/bashrc, and your local, which are stored under your home directory as .bashrc or .profile (the actual scripts used depend on your shell, these are just common for bash). When you log in, the relevant global script runs first, then the local script runs, and can override anything done by the global. So under .bashrc (or equivalent) you would simply have to append to the script, umask 077 to set the value to 077. You can also just run umask 077 to set the umask for the current session only.

Great answer - thanks! I wonder if you might consider a wee edit to say how A goes about setting his umask? — Seamus, Aug 11 '18 at 15:03
@seamus, I added it as requested. Let me know if I didn't explain it clearly. — Kefka, Aug 11 '18 at 15:34

score 1 · Answer 2 · answered Aug 11 '18 at 12:56

1

When a new file is created, it has a single user (owner) and a single group associated with it. Even if user A is in multiple groups, the file can only be associated with one of those groups. You can confirm this with a simple ls -l. There is one user and one group for any file.

Hence, even if user A is added into a new group, this new group cannot access the file, and thus has no bearing on its permissions. The only way a new user could access it is if they are added to the initial owning group G… and if they have the level of access required to make that happen, then they would be able to access the file by other means anyway.

answered Aug 11 '18 at 12:56

Sparhawk

19,941

thanks. Does that mean there is a way to change the default group a file is associated with when it is created? – Aug 11 '18 at 14:25
@JohnSmithSr.Yes, with the chgrp command. You can change group ownership to any group that you belong to. – doneal24 Aug 11 '18 at 18:08
@JohnSmithSr. chgrp will change the file's groups retroactively. You can also change the default group for a particular user. – Sparhawk Aug 12 '18 at 00:11

How to interpret group permission?

2 Answers2