Let's say I have two users on a Debian GNU/Linux system: me and otheruser. Both are members of the group shared-media. I can create a directory that is writeable by both:

$ sudo mkdir /srv/media/test-parent
$ sudo chown root:shared-media /srv/media/test-parent
$ sudo chmod g+w /srv/media/test-parent
$ sudo chmod g+s /srv/media/test-parent
$ ls -dlh /srv/media/test-parent
drwxrwsr-x 2 root shared-media 4.0K Apr 28 19:35 /srv/media/test-parent

Now, as otheruser, I create a directory and a file within it:

$ sudo -u otheruser mkdir /srv/media/test-parent/zztest
$ sudo -u otheruser touch /srv/media/test-parent/zztest/one

Unfortunately, this new file cannot be deleted by other members of the group (assume the current user is me):

$ ll /srv/media/test-parent/zztest/one 
-rw-r--r-- 1 otheruser shared-media 0 Apr 28 19:36 /srv/media/test-parent/zztest/one
$ rm /srv/media/test-parent/zztest/one 
rm: remove write-protected regular empty file ‘/srv/media/test-parent/zztest/one’? y
rm: cannot remove ‘/srv/media/test-parent/zztest/one’: Permission denied

How do I set up permissions so that otheruser only ever creates files that are writeable and deletable by other group members?

1 Answer 1


Files themselves are not important; you only need the write permission on the parent directory. To ensure that it's always added, set 'default' ACLs on the base directory:

setfacl -m default:group::rwx /srv/media/test-parent

This sets a "default" (inherit-only) ACL group::rwx (shorthand g::rwx), which applies to the owning group (i.e. the group set via chown/chgrp).

But you'll usually want to set an identical "regular" ACL at the same time:

setfacl -m g::rwx,d:g::rwx /srv/media/test-parent

You can simplify this somewhat, by granting access to a specific group directly:

setfacl -m g:users:rwx,d:g:users:rwx /srv/blah

This makes the 'setgid' bit as well as chgrp unnecessary.

  • Nice! I had no idea that setfacl existed. I presume the new + at the end of the directory permissions (drwxrwsr-x+) is there to indicate that a different ACL is set for this directory.
    – detly
    Commented Apr 28, 2015 at 10:40
  • 1
    Yes. Also, when an ACL is set, the 'group' column actually shows the sum of all regular ACL entries (except the 'default' ones); the real permissions will be only visible through getfacl. Similarly, chmod g-w will "mask out" the write permission for all ACL entries at once. Commented Apr 28, 2015 at 11:15

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .