Give a group write permission to a folder

Question

I need help understanding how giving write permission to a group, works in Ubuntu. I am logged in as root and have a www-data:www-data and ftpuser:ftpuser (user:group). I add the ftpuser into the www-data group using:

usermod -a -G www-data ftpuser

Now my www-data group has two users.

I then make the group www-data, owner of the folder /var/www using:

chgrp -R www-data /var/www

Still i have no write ability to the folder by a group member (though the group owns it) unless i give write permissions to the group. Now according to this best answer i also need to set the permissions to the directory using sudo chmod -R 770 /path/to/the/directory and this is what confuses me.

If a user is the owner of a directory why can't he write to it? Can a user of a group give the group write permissions to a folder owned by the group himself? Where is the group defined in the command sudo chmod -R 770 /path/to/the/directory ? Won't this give recursive permissions to all users?

Answer 1

though the group owns it

No, group does not own a file in a sense that the permissions for owner apply. Owner permissions apply only to owner - the user; and group permissions apply to the assigned group.

If a user is the owner of a directory why can't he write to it?

He can, except that ftpuser in your case is not the owner.

Most likely, because you don't say it explicitly: root or www-data is the owner /var/www of the file, and ftpuser is a member of the group www-data.

Even if the user www-data and the group www-data have the same name, they are different entities for the operating system.

Can a user of a group give the group write permissions to a folder owned by the group himself?

Again: folder is not owned by a group. If the group has write-permission, any member of the group can change the permissions to the object.

Where is the group defined in the command sudo chmod -R 770 /path/to/the/directory

The second 7 refers to the group permissions (7 is a combination of read, write, and execute).

Won't this give recursive permissions to all users?

It will assign (recursively):

• read, write, and execute for the owner (first 7)
• read, write, and execute for the group (second 7)
• no permissions for other users (last 0)

Answer 2

Directory shared by group with write permissions for existing files

All users should be a members of a group www-data. You can add them using

usermod -a -G www-data user1 usermod -a -G www-data user2 ...

Giving a group www-data a write permission to a folder and all containing files could be achieved with the series of commands:

chgrp -R www-data /var/www chmod -R g+ws /var/www

All new files and directories will have assigned group www-data and will be writable by member of the group.

Permissions for new files

Default umask on most Linux systems is 022 meaning if user1 creates a file or directory under /var/www that file becomes "editable" only by user1, but readable by group www-data.

If this is expected behavior you should stop here.

Directory shared by group with write permission

You should verify whether extended ACL are enabled on your system. You may look at /etc/fstab and look for something like this: /dev/sda5 / ext4 acl,..... Having this checked you need to provide an extended ACL parameters for directories.

You will add ACL to allow new files created under /var/www folder to be also writable ty www-data group using this command:

setfacl -R -b -k -d -m g:www-data:rwx --mask $2

In this senario if a user1 creates a file or folder under /var/www user2 will be able to write/delete.

Every new file or directory will have permissions rw-rw-???. Question marks will be something that you set for the others.

How to verify permissions

Use this command:

getfacl /var/www

The output should be something like this:

# file: /var/www # owner: www-data # group: www-data # flags: -s- user::rwx group::rwx other::--- default:user::rwx default:group::rwx default:group:www-data:rwx default:mask::rwx default:other::---

Default permissions for folder /var/www are: drwxrws---