Hi List :) So, I have a folder1, its owner is user1 who has r+w on the folder. User2 is the group owner who only has read access (when I say user2, I mean the group called user2, because when you make a new user the OS can make them their own group). You can see these permissions below: [user2 at host test]$ ls -l drw-r----- 3 user1 user2 28 Nov 2 16:17 folder1 How ever user2 can not 'cd' into this directory, and gets the following out put form 'ls -l folder1' [user2 at host test]$ ls -l folder1/ total 0 ?--------- ? ? ? ? ? sub-folder And the sub-folder name is written in white text flashing on a red background. So, it seems to me that there is some permissions problems here. What permissions are required on the group settings to allow a group user to browser folder1 and its sub folders and read the files in side if it isn't 'r' ? **Note: I have used sudo to replicate permissions through the directy structure: [user2 at host test]$ sudo ls -l folder1/ drw-r----- 2 user1 user2 4096 Jan 24 06:49 sub-folder -- Regards, James. http://www.jamesbensley.co.cc/ There are 10 kinds of people in the world; Those who understand Vigesimal, and J others...?
Hi :) On Wed, Jan 26, 2011 at 11:12 AM, James Bensley <jwbensley at gmail.com> wrote:> Hi List :) > > So, I have a folder1, its owner is user1 who has r+w on the folder. > User2 is the group owner who only has read access (when I say user2, I > mean the group called user2, because when you make a new user the OS > can make them their own group). You can see these permissions below: > > [user2 at host test]$ ls -l > drw-r----- ?3 user1 ? ?user2 ? 28 Nov ?2 16:17 folder1 > > How ever user2 can not 'cd' into this directory, and gets the > following out put form 'ls -l folder1' > > [user2 at host test]$ ls -l folder1/ > total 0 > ?--------- ? ? ? ? ? ? ? ? ? ?? sub-folder > > And the sub-folder name is written in white text flashing on a red > background. So, it seems to me that there is some permissions problems > here. What permissions are required on the group settings to allow a > group user to browser folder1 and its sub folders and read the files > in side if it isn't 'r' ? > > **Note: I have used sudo to replicate permissions through the directy structure: > > [user2 at host test]$ sudo ls -l folder1/ > drw-r----- 2 user1 user2 4096 Jan 24 06:49 sub-folderDirectories should have +x permissions. Do a: chmod 0750 /directory And see what happens. HTH Rafa
Edo <ml2edwin at gmail.com> wrote:>>If user1 writes a file in folder1 will user2 be made the default group owner, is there a way of enforcing this and with the required privileges (r for files, rx for directories?). Yes. If user1 belongs to the user2 group, that?s how it should [already] work. << The problem here is the RH "User Private Group" scheme, which means that user1 is only a member of the group user1 and user2 is only a member of the group user2. So their group memberships, by default, don't intersect and user2's only access to user1's files is by virtue of the "other/world" permissions, which depend upon the umask (but don't give access, by default). I've written this up (again, for a course I wrote some years ago, but it's still mostly relevant) at http://www.lesbell.com.au/Home.nsf/web/Controlling+Access+to+Files?OpenDocument - see the section near the bottom entitled " Red Hat's User Private Group Philosophy" which explains how it should be used (the secret is to make the user administrator of their own group with gpasswd -A). The RH approach, imho, is better than a global group, "users", as found on other distros, because there's no real difference between "users" and "world". One easy way to allow shared access - and this will work over Samba - is to create a group for the users, e.g. "accounts" and make the various users members of that group (as a secondary group). Then create a shared directory for them, chown it to be owned by the group (e.g. chown me:accounts /home/accounts) and then set the SGID bit on the directory (chmod 2777 /home/accounts). Now, whenever anybody creates a file in that directory, it will be owned by that user and the shared group "accounts", rather than the primary group of the creator. See the section in that article on "Permissions on directories". I actually haven't tested that approach with SELinux, but I can't see that it would interfere. Best, --- Les Bell [http://www.lesbell.com.au] Tel: +61 2 9451 1144