I'm having trouble finding a certain balance between owner and group permissions for directories and files.
As the development of the application progresses, the processes involved increase. And each of them run with different owners and groups.
The problem I encounter is the following:
I use these directories as an example.
drwxr-xr-x 7 www-data www-data cache/
drwxr-xr-x 10 www-data www-data log/
drwx------ 2 www-data www-data sessions/
Sometimes the user ubuntu
has to do some operation on the files contained in these directories, for example log/
. With the consequent logical error, because he is not the owner nor does he belong to the group.
As a test, I added the user ubuntu
to the group www-data
.
ubuntu
When the file is first created by the user log
, the following case occurs:
drwxrwxr-x 10 www-data www-data log/
├── -rw-rw-r-- 1 www-data www-data log.error.20170315.log
├── -rw-rw-r-- 1 www-data www-data log.error.20170322.log
└── -rw-rw-r-- 1 ubuntu ubuntu log.error.20170327.log
Create the file log
with the user and group ubuntu
. In the event that the user www-data
wants to edit that same file, it returns errors.
My question then is:
How can you establish permissions between users and groups without generating this type of conflict?
Hi, I in cases similar to yours when I want several users belonging to a group, for example , to
www-data
be able to read and write in a directory and that when creating files or directories these belong to the group by default,www-data
what I do is activate the oneSGID
of the directory, like this.With this you get that all the files or directories created within
log
have the directory group assignedlog
.I hope it helps you.
I would list ACL. In Ubuntu it is possible to put ACL lists to customize permissions, and give each user or group a specific permission.
To see the list, you can use the getfacl command
To put ACL lists we do:
where: setfacl #the command to set ACL list to a resource ubuntu -m #to set u permissions #u for user, g for student group #the user we are going to give the ACL x # the permissions we are going to give resource # the folder or file that we are going to change the permissions
Example 1:
setfacl -m "u:pepe:7" quijote.txt
We give the user pepe level 7 permission (read, write and execute) on the file quijote.txt
Example 2:
#Give the students group level 5 permissions (read and execute) on the file quijote.txt
Example 3:
We give the user user1 permission level 0 (no permission) on the Videos folder
And then we look at the lists with getfacl
If you have any doubts, just look for information about the command
setfacl
and ACL lists in Linux. All the best.Permissions work hierarchically. In this case, if you want the user to
www-data
modify thelog
, why not create it with that user, if the userubuntu
is in the groupwww-data
? That would be the easiest solution.In case you don't want the file
log
to have ownerubuntu
and group ownerwww-data
, which is another solution for user accesswww-data
.