Linux – How to set a directory’s permissions for group read/execute access

apache-httpdarch linuxlinuxpermissionsxampp

I am running Arch and have just install XAMPP. I have change changed my document root to /srv which is a separate EXT4 partition. I have set the Apache HTTP server to use a group called "http". I have added my user to the http group. I want every file created in the /srv folder to assigned to the HTTP group and for all the files to have group read and execute access.

I have ran the following commands:

sudo chgrp -R http /srv/
sudo chmod -R g+rwxs /srv/

And set the umask at the bottom of my ~/.bashrc to:

umask 002

However I notice 2 things:

  1. When I extract a zip file that is owned by the http group, the group of the immediate folder that is created by my archive application is owned by http but all the subdirectories and files are still owned by the default "user" group.
  2. Creating a new file with nano gives me a different permission (-rw-rw—-) than creating one with Gedit (-rw-r–r–).

What umask should I be using to force user - all, group - read/execute, others - none?

How do I force all files to be owned by http regardless of what program creates them there?

Best Answer

That is not such an easy problem as one might guess. The point is that

  1. directories' sticky bit

  2. umask

  3. even ACLs (and richacls)

are defaults only. Noting prevents a process from changing these values after the creation of a file or directory. An archive program may even be interested in restoring the original values.

I cannot reproduce your zip experience. I have Zip 3.0 (openSUSE 13.1). Here the sticky group of the parent folder is successfully inherited.

Using ACLs for default ACLs (adding the group explicitly i.e. not as file group (ACL_GROUP_OBJ) but as pure ACL entry) does not prevent an application from making modifications but in my experience this happens less often.

The only safe way is a privileged daemon which either regularly checks for new files / directories or keeps informed by FAM. This daemon can then change the file ownership so that normal processes can just modify (and maybe delete) the file but cannot change its access rights any more. Maybe this can be done with FUSE, too.

Related Question