| 1 |
On 17/03/2016 19:19, hw wrote: |
| 2 |
> |
| 3 |
> Hi, |
| 4 |
> |
| 5 |
> how can I make it so that multiple users on a system who create |
| 6 |
> files in a local, shared directory do have write access to files |
| 7 |
> created by other users within the shared directory? |
| 8 |
> |
| 9 |
> The directory is group-writeable, and the users belong to the group |
| 10 |
> which owns the directory. This enables them to create files within |
| 11 |
> the shared directory, yet the files they create belong to the user |
| 12 |
> who created it, and other users cannot modify them. The sticky bit |
| 13 |
> is set so that the files are owned by user:common-group. |
| 14 |
> |
| 15 |
> I would like to avoid changing the umask. If that cannot be avoided, |
| 16 |
> how do I change it? Users log in through x2goclient, and fvwm is |
| 17 |
> being executed on login. |
| 18 |
> |
| 19 |
|
| 20 |
Ooooooh, that's a horrible one, with no really obvious answer. |
| 21 |
|
| 22 |
First, you cannot do it with just regular Unix permissions. |
| 23 |
|
| 24 |
umask is just not viable either, as a) it's global and affects all files |
| 25 |
a user creates and b) by definition umask is modifiable by the user |
| 26 |
(it's a feature to help users out so they don't need to chmod every file |
| 27 |
every time) and c) you can't stop them doing it (by design). |
| 28 |
|
| 29 |
There is a way to do it with Posix ACLs, I figured it out once. It was |
| 30 |
ugly. It was horrible. It was impossible to describe to someone else. |
| 31 |
And it was invisible (you had to spot the tiny "+" in ls -al and know |
| 32 |
what it means to know to look further. |
| 33 |
|
| 34 |
The simplest way is to run chown -R g+w dir in a cron every few minutes. |
| 35 |
This works but it's inelegant. |
| 36 |
|
| 37 |
The best solution I have found yet is to use the inotify feature in the |
| 38 |
kernel. It's an event framework and really neat: tell the kernel to |
| 39 |
generate an event every time something specific happens on the |
| 40 |
filesystem, and write a small listener that run chmod. There are many |
| 41 |
examples in the man pages. |
| 42 |
|
| 43 |
In your case, the area to monitor is the shared directory itself, and |
| 44 |
the event to register is on_file_create and on_file_modify. The listener |
| 45 |
is a small script that launches chmod g+w |
| 46 |
|
| 47 |
Do read the man pages thoroughly, the above will become clearer. inotify |
| 48 |
is an amazing tool, I wish it were more in common use. |
| 49 |
|
| 50 |
|
| 51 |
-- |
| 52 |
Alan McKinnon |
| 53 |
alan.mckinnon@×××××.com |
Archives