Solved A question on permissions

Харбин Хэйлунцзян · Wednesday at 6:37 PM

I have a directory with these permissions:

Code:

drwxrwxr-x   2 root mygrp   512 Dec 10 20:35 mydir

When I copy an executable into it, the executable gets these permissions:

Code:

-rwxr-xr-x  1 sergei mygrp 111968 Dec 10 21:04 myprg

I am happy with the owner set to me and the group inherited from the directory but it has r-x permissions for the group while I would want it to inherit the permission to write for the group from the directory - rwx.

I guess being the owner I can chmod after copying but I would want to avoid this extra step. Is there a way to achieve this on copying?

-

cracauer@ · Wednesday at 6:47 PM

bakul · Wednesday at 6:48 PM

Харбин Хэйлунцзян said:
am happy with the owner set to me and the group inherited from the directory but it has r-x permissions for the group while I would want it to inherit the permission to write for the group from the directory - rwx.

You can write a small program or script...

Харбин Хэйлунцзян · Wednesday at 6:58 PM

Thank you, gentlemen!

-

Kai Burghardt · Wednesday at 8:00 PM

cracauer@ said:
No.

No, not the directory’s mode, but you can still achieve the effect via Access Control Lists. Assuming you were using ZFS as your file system:

Bash:

zfs get acltype,aclinherit `pwd` # confirm that it reports nfsv4 and not discard

# For the group `mygrp` writing payload data (`write_data`) is allowed.
# Usually `read_attributes` is needed, too, e. g. for a `stat(2)`,
# but that can be supplied via the `others`/`everyone@` mode.
# Note that the order of ACL entries matters:
# A subsequent ACL `deny` entry could remove privileges again.
# This ACL entry is inherited by non-directory files (`file_inherit`).
setfacl -m 'group:mygrp:write_data:file_inherit:allow' mydir

cp myprg ${_}               # $_ refers to the previous command’s last argument
getfacl -v ${_}/myprg       # verify the copied myprg has an inherited ACL entry

Inheritance takes place when creating new files. It is not evaluated dynamically. POSIX.1e ACLs support some inheritance, too, but I haven’t tested it (also it requires a different syntax).

Харбин Хэйлунцзян said:
[…] the group inherited from the directory […]

The group does not get inherited. It may by coincidence appear that way, but there is no actual inheritance at play.

Харбин Хэйлунцзян said:
Thank you, gentlemen!

May I kindly draw your attention to the “Thanks” button beneath each (foreign) post. Other people see “activity” in a thread but may be disappointed if the only thing they read was a thanks-message. You may also be interested in Thread 82253.

mer · Wednesday at 8:05 PM

cracauer@ said:
No.

Does user umask play into final permissions on this?

T-Daemon · Wednesday at 9:02 PM

As mentioned before, it's possible to set NFSv4 ACLs inheritance flags to achieve what you want:

Code:

root #  ls -ld mydir
drwxrwxr-x 2 root mygrp 3 Dec 10 21:45 mydir


root # getfacl mydir
# file: mydir
# owner: root
# group: mygrp
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:-------:allow
         everyone@:r-x---a-R-c--s:-------:allow

root # setfacl -m group@:rwxpaRcs:f:allow mydir

root # getfacl mydir
# file: mydir
# owner: root
# group: mygrp
            owner@:rwxp--aARWcCos:-------:allow
            group@:rwxp--a-R-c--s:f------:allow
         everyone@:r-x---a-R-c--s:-------:allow

sergei % cp myprg mydir

sergei % ls -l mydir/myprg 
-rwxrwxr-x+ 1 sergei mygrp 0 Dec 10 21:45 mydir/myprg

NFSv4 ACLs are default on ZFS, on UFS this can be enabled with the tunefs(8)-N option, or fstab(5) mount(5) option nfsv4acls.

I believe inheritance flags on POSIX.1E ACLs are not allowed.

cracauer@ · Wednesday at 10:34 PM

mer said:
Does user umask play into final permissions on this?

Yes, the umask will allow you to set group write permissions by default. On the plain filesystem permissions. I forgot about ACLs.

T-Daemon · Wednesday at 11:28 PM

It turns out no ACLs necessary. Experimenting with them I had also umask modified, that produced a false positive. In fact setting umask only produces what is desired (kudos mer ) .

Code:

sergei ætest:~ $ ls -ld /tmp/mydir
drwxrwxr-x  2 root mygrp 512 Dec 11 23:41 /tmp/mydir

sergei@test:~ $ ls -l myprg
-rwxrwxr--  1 sergei sergei 0 Dec 10 23:42 myprg

sergei@test:~ $ umask
0022

sergei@test:~ $ cp myprg /tmp/mydir

sergei@test:~ $ ls -l /tmp/mydir
-rwxr-xr--  1 sergei mygrp 0 Dec 11 23:42 myprg

sergei@test:~ $ rm /tmp/mydir/myprg

sergei@test:~ $ umask 002

sergei@test:~ $ cp myprg /tmp/mydir

sergei@test:~ $ ls -l /tmp/mydir
-rwxrwxr--  1 sergei mygrp 0 Dec 11 23:43 myprg

JohnK · Thursday at 1:13 AM

Sorry, I could be misunderstanding the scenario so take the following question with a grain of salt. But why can't you just use `tar` to copy the file(s)? So the following is my test run (copying a file as root--so I have to explicitly say "--no-same-owner").

Obviously that's a lot of typing so you'd want to create a simple script out of that but am I just way off topic here (I mean I--john--cannot copy a file into a directory owned by root so, I have to be root to copy the file)?

Code:

root@testjail:/home/john/using-tar-to-copy # ls -ld
drwxr-xr-x  4 john john 4 Dec 10 18:00 .
root@testjail:/home/john/using-tar-to-copy # ls -l
total 1
drwxr-xr-x  2 john john 3 Dec 10 18:00 john-owned-dir
drwxr-xr-x  2 root john 3 Dec 10 18:55 root-owned-dir
root@testjail:/home/john/using-tar-to-copy # ls -l john-owned-dir/
total 1
-rw-r--r--  1 john john 0 Dec 10 18:00 john-owned.file
root@testjail:/home/john/using-tar-to-copy # cd ./john-owned-dir ; tar -cf - . | ( cd ../root-owned-dir ; tar --no-same-owner -xf - ) ; cd ..
/home/john/using-tar-to-copy/john-owned-dir
root@testjail:/home/john/using-tar-to-copy # ls -l root-owned-dir/
total 1
-rw-r--r--  1 root john 0 Dec 10 18:00 john-owned.file