0

Objective: Creating a folder on the root, chown to group and add users to group - but users get too wide permissions!

Consider the following:

# as root

we need a user group


groupadd team1


we need a shared folder


mkdir /project1
chown root:team1 /project1
chmod 770 /project1


we need users - and they get set pw elsewhere :)


for i in bob tina jim joy; do useradd $i; done


we add them to the project group 'team1' that gives access to the shared folder


usermod -aG team1 [username]

What is puzzling is that user jim can create a file in /project1 and user joy can open, change and save the file in vim or try to delete the file, which will be executed after confirmation that this is the intent.

Question: Is this to be considered correct behaviour? Shouldn't chmod 770 /project1 be limited to permissions on the folder itself, but not as it appears: recursively to files within said folder?

DavDav
  • 511

1 Answers1

2

This is normal behaviour.

770 permissions on a directory allow the directory’s owner and any member of the directory’s group to read, write and search the directory. This means that any member of the group can delete files in the directory and create new files, independently of the permissions and ownership of the files themselves. This is what you’re seeing; whatever permissions jim sets on a file, joy can delete it and replace it with another, which is what vim does.

There are additional permissions you can set on directories, in the standard Unix permissions model.

The first useful one here is the sticky bit, which restricts deletions: files can only be deleted by their owner, the directory’s owner, or root.

chmod g+t /project1

would set this up, and then joy wouldn’t be able to delete jim’s files.

The second useful permission is the sgid bit, which causes the directory’s group to be applied to newly-created files in the directory:

chmod g+s /project1

To combine both, run

chmod 3770 /project1

See Understanding UNIX permissions and file types for details.

Stephen Kitt
  • 434,908