[moon] home
IPv4
[tip jar]
Tips

Erlkönig: Linux Permissions

Group-based file sharing
parent
[parent webpage]
server
[webserver base]
search
[search erlkonig webpages]
trust
[import certificates]

homes
[talisman]
[zoion]

About permissions supporting group file sharing

Retread of permissions

Add the allowances you want to get the numeric permission:

For the file's user:

  • 400 read
  • 200 write
  • 100 execute

For members of the file's group:

  • 40 read
  • 20 write
  • 10 execute

For everyone else, i.e. "other":

  • 4 read
  • 2 write
  • 1 execute

Special bits:

  • 4000 set user ID (on execution)
  • 2000 set group ID (on execution, also affects files created in directories)
  • 1000 sticky (on modern systems, specific to directories)

Lastly, some combinations of bits are used on some systems to simulate having additional bits for other purposes, despite not actually creating bits for those purposes. These usually involve locking and won't be reprised here.

Permissions across Unix, Linux, and Linux + group sharing

Classic Unix first. These are the defaults if no umask is set (i.e. umask = 0)

  • 666 for files
  • 777 for directories

Both of those are terribly unwise, so what's actually used is:

  • umask is set to 022 for users, which is subtracted from the 666 or 777 when files/dir are created, so:
  • 644 is normal for files
  • 755 is normal for directories and executable files

Users will then adjust permissions, classically with chmod go-a … on more private stuff

  • 600 is for files you don't want other users to access
  • 700 is for directories you don't want other users to access

Now, Linux adds a quirk into this if you're using the model (many dists are) where every user also has her own user-specific group. This supports a specific way to share files in one place among a group of users, and coöperates with set-group-id bits. If you're not using sharing of writable files in a group of local users, you don't need to full details (those set-gid bits), but here's what this means for permissions for users' personal files only (otherwise see the Classic list above)

  • umask is set to 002 to block only "other" write permission, which is subtracting only "2" (other-write) from the default permissions
  • 2775 is set on user homes by the system, the 2000 (set-group-id) is inherited by directories created inside. This will stamp the directory's group on anything created within it
  • Note: to make SSH happy about its keys, removing write-access is needed: chmod 2755 ~
  • To keep the keys safe: chmod 700 ~/.ssh
  • 664 is normal for user files
  • 2775 is normal for user directories
  • 775 for user executables (although 755 is more common)

In a group-shared directory, some group all the sharing users share, like "coolkids" is stamped on the directory and everything inside picks up that group automatically. The users' umasks of 002 make anything created there editable for the entire group. Yet, thanks to having personal groups, that same umask doesn't compromise those users' home directories. (In classical Unix, users didn't have personal groups)

encrypt lang [de jp fr] diff backlinks (sec) validate printable
Wikipedia Affiliate Button [Free Speech Online Blue Ribbon Campaign]
Klein bottle for rent; inquire within.
[ Your browser's CSS support is broken. Upgrade! ]
alexsiodhe, alex north-keys