Access control lists
The straight answer is access control lists (ACLs). Yeah, you can find a counterexample, but they're good enough in practice (unlike mere group writability which requires that users think about it all the time). What they do require is that the system administrator (root) define the groups, if you want files to be shared only by a named group (root can choose to delegate, for example by accepting groups from LDAP, but that's another story).
You do need participating users to have a umask of 022. If they create non-world-readable files routinely, this scheme won't work. But if they have a restrictive umask, it's presumably because they don't want to share files anyway.
Enabling ACLs
Ubuntu doesn't enable ACLs by default, so there's a one-time admin requirement. Edit /etc/fstab
using your favorite editor, and change every line corresponding to a filesystem where you want to share files: add acl
to the options. (Make sure not to change any other line, and not to use an editor that wraps long lines.) Here's an example line with the acl
option added:
UUID=5e1ec7ed-face-dead-beef-c011ec7ab1e5 / ext4 errors=remount-ro,acl 0 1
For the option to take effect the first time, use a command like the following (for each filesystem):
sudo mount -o remount,acl /
Install the ACL tools from the acl
package.
Setting up the shared directory
To have files shared by the group mygroup
:
setfacl -m group:mygroup:rwx /path/to/shared/root
setfacl -d -m group:mygroup:rwx /path/to/shared/root
If people create files and copy them to the shared directory, the files will be world-readable (because of the umask) and anyone in the group can add and remove files (because the group is group-writable). People can't edit each others' files, but that's a good thing or you'd run into editing conflicts straight away.
If you don't have a unix group, you can add users one by one:
setfacl -m user:bob:rwx /path/to/shared/root
setfacl -d -m user:bob:rwx /path/to/shared/root
Version control
If you do want people to be able to edit files in place, you also need something to prevent editing conflicts. That's version control.
You don't need any of this to share a git repository. You know there are solutions like gitosis, so use them.
I think you need to use the following parameters:
# I changes the permissions to rw-rw-r--
# You should be able to change them to 775 if you need the files to
# be executable
create mask = 664
force create mode = 664
security mask = 664
force security mode = 664
# I set the SGID flag here as I thought this is what you wanted
# You could change to 0775
directory mask = 2775
force directory mode = 2775
directory security mask = 2775
force directory security mode = 2775
I was looking for a nice explanation of how these settings work, but could not find anything better then man smb.conf
You will have to scroll down a bit for those options.
Basically, in a nutshell, windows permissions are not the same as unix (linux) and it is a bit odd how samba maps permissions.
Best Answer
If your colleague is in the sudoers list he is root as much as you if he wants it (and he can impersonate you too), and then he can see everything.
This is the worst setup you can have if you want user privacy. You should definitively read into how user management on Linux works. Here are a few articles yo can start with:
And even then if someone has physical access to the machine in question, there is no privacy, he could drop at boot into a root shell and see everything no matter what, and if this would be password protected he could still use an USB stick and go in on this way.
So best thing in that case is proper user management, password for root, and encrypted drive and/or encrypted home directories.