Linux – Understanding Linux File / Folder Permissions

acllinuxpermissions

I have multiple folders that need to be accessed by multiple users. Specifically, Medusa(Which I use to track which episodes of TV Shows I do not have backed up yet), Plex(Which I use to stream my digital backups to various devices around my home), and Media(which is the user login I ssh into the machine using. The issue I'm having is that no matter what I do, I cannot get all three users to have access to the folder at the same time.

I have added all users to a group, set the file/folder permissions to allow full rwx permissions for user, group and everyone settings, but still cannot seem to get all three to work at the same time.

All of the files / folders are on a second hard drive (sdb1) rather than on the boot drive, in case that matters for some reason. The mount point for the hard drive is /media/media/storage2 however I run all commands starting at /media/ because for some reason if I don't, the user is unable to access anything on the drive in the end.

I use the command sudo chown -R plex:server /media/ to change the owner:groupOwner of the files to plex when I want to watch something. server is the group I created containing all users.

I use the command sudo find /media/ -type d -exec chmod 777 {} \; to change the permissions for all folders, and sudo find /media/ -type f -exec chmod 777 {} \; for all files.

I do realize that 777 is not good for security, I originally was going to use 775 but until I figure this out I was hoping 777 would fix the issue, and it hasn't.

I'm not sure what else I can try to make this happen.

Edit:
Tried JHuffard's suggestion, ran sudo chown -R plex /media/, sudo chgrp -R server /media/ and sudo chmod -R 777 /media/ and everything is still locked down, despite permissions showing drwxrwxrwx for all relevant directories and files.

Best Answer

These ACL commands are for Linux only. First, set all ownership and permissions to something standard.

chown -R root:root /media
find /media -type d -exec chmod 0755 {} +
find /media -type f -exec chmod 0644 {} +

Files

Next, decide how to use Access Control Lists (ACLs) appropriately. (You know the details about which users and/or groups require read or write access to which files or directories, but these were not specified in the question.) Some examples follow. Keep in mind that each example is setting an explicit ACL in order to get the ACLs defined correctly for files (not directories just yet). Later, ACLs and default ACLs can be applied to directories. Below, -m is the mask to apply.

# Give medusa user (u) read-write; give group_name (g) read; give others (o) read.
find /media -type f -exec setfacl -m u:medusa:rw-,g:group_name:r--,o:r--

# Give plex user (u) read-write. 
find /media -type f -exec setfacl -m u:plex:rw-

# Give server group (g) read-write. 
find /media -type f -exec setfacl -m g:server:rw-

# Give media user (u) read-write. 
find /media -type f -exec setfacl -m u:media:rw-

# Give media user (u) read-write, server group (g) read-write, others (o) read. 
find /media -type f -exec setfacl -m u:media:rw-,g:server:rw-,o:r--

Directories

Whichever ACLs were applied to the files can be applied to the directories as well, but a slight variance applies in that one can also set the default ACL (-d). By using the -d switch, all new filesystem objects in the directory inherit defined ACLs automatically. It is important to remember that one must set both an ACL for the directory itself and a default ACL if automatically applying ACLs to new files. Also note that, below, execute (x in rwx) is required to change directories (cd); but, this does not mean that the execute bit applies to files. Rather, the execute bit applies to new directories only.

# For each directory itself:
find /media -type d -exec setfacl    -m u:media:rwx,g:server:rwx,o:r-x {} +

# To set a default ACL in each directory - the same command as above with the `-d` switch:
find /media -type d -exec setfacl -d -m u:media:rwx,g:server:rwx,o:r-x {} +

Repeat the two commands above for each ACL, changing users and/or group according to objectives. This action stacks the ACLs so that one can add as many ACLs as desired and accomplish the automatic assignment of the ACLs for each new filesystem object.

One can use the "ugo" method (e.g: rwx) or octal (e.g: 7).

  • rwx
  • r--
  • rw-
  • r-x
  • 7
  • 4
  • 6
  • 5

In other words, the following commands are equivalent.

setfacl -m u:media:rwx,g:server:rwx,o:r-x {} +
setfacl -m u:media:7,g:server:7,o:5 {} +

The group and other masks work the same way: g:groupname:--- or in combination as follows.

u:username:---,g:groupname:---,o::---

I have noticed that a single colon also seems to work for "other".

u:username:---,g:groupname:---,o:---

Not specifying a username or group name applies the mask to current user/group ownership.

Not knowing exactly what user or group requires what level of access, it's difficult to be more precise. One might need to analyze first, possibly starting the process deeper in the directory tree. It might be helpful when first playing around with ACLs to know how to remove them all: setfacl -Rb /media. Also, one might use info and/or man to read the manual on setfacl, getfacl, and acl. There are also many questions and answers on ACLs. Just be sure to discern whether the ACL Q/A is for Linux because that's the OS in question. (ACLs are implemented differently according to major OS variants.) The standard ownership and permissions that were set at the top of this answer will be augmented by the ACLs. Wherever an ACL exists, you'll notice that a + sign exists - something like the mockup below.

drwxr-xr-x  2 root root 4096 Jul 8 16:00 dir_without_acl
drwxr-xr-x+ 2 root root 4096 Jul 8 16:00 dir_with_acl

Services accessing these files may need to be restarted.

Related Question