ACL and a sticky bit.

Set a directory with rwx inherit default permissions for groups, also to ensure that all files and directories crated in will have ownership the “users” group.

All new files created in the directory will have the group set to the group of the directory.

chmod g+s user1

Set the set file access control lists (ACL), set the group to rwx default and others to read access only.

setfacl -d -m g::rwx user1
setfacl -d -m o::r user1

Output:

server:/home # l user1/
total 393256
drwxr-xr-x 12 root root 4096 Jul 24 10:38 ./
drwxr-xr-x 26 root root 4096 Oct 16 15:03 ../
drwxrwsr-x+ 4 user1 users 4096 Oct 28 15:16 user1/
drwxr-xr-x 2 user2 users 4096 Oct 28 15:15 user2/
drwxr-xr-x 6 user3 dba 4096 Oct 13 14:24 user3/
drwx------ 2 root root 16384 Apr 17 2014 lost+found/

server:/home> getfacl user1/
# file: user1/
# owner: user1
# group: users
# flags: -s-
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:other::r--

server:/home/user1> l
total 72
drwxrwsr-x+ 4 user1 users 4096 Oct 28 15:36 ./
drwxr-xr-x 12 root root 4096 Jul 24 10:38 ../
-rw------- 1 user1 users 2197 Oct 28 15:14 .bash_history
drwxrw-r-- 2 user1 users 4096 Oct 27 08:43 bin/
-rw-rw-r-- 1 user2 users 0 Oct 28 15:36 createdbyuser2.txt
-rw-rw-r-- 1 user1 users 10324 Oct 21 09:22 createdbyuser1.txt
server:/home/user1>

Access Control Lists aka ACLs for Linux file systems.

Traditionally, three permission sets are defined for each file object on a Linux system. These sets include the read (r), write (w), and execute (x) permissions for each of three types of users—the file owner, the group, and other users. In addition to that, it is possible to set the set user id, the set group id, and the sticky bit. This lean concept is fully adequate for most practical cases. However, for more complex scenarios or advanced applications, system administrators formerly had to use a number of workarounds to circumvent the limitations of the traditional permission concept.
Continue reading “Access Control Lists aka ACLs for Linux file systems.”