How to give full access w/ chmod to multiple groups? Need to use ACL’s

chmodlaunchdmac-osxpermissions

First of all, thanks for reading. I've had success running a plist launchd job that is in my LaunchAgents folder. It basically calls a small shell script that chmod's a folder's permissions. I then have another job that calls another script that changes it back to what it was before.

Now, I'm trying to figure out how to chmod a folder/file permissions for a particular group. I realize that every folder/file has an owner that belongs to a group. Yes, but how do I explicitly give permissions to another group of users through a shell script? Is this possible? I have also been reading about ACL's, is this the route I should go?

My script is simple now:

chmod -R 777 <FOLDERNAME>

then back:

chmod -R 000 <FOLDERNAME>

Running this while logged in as the administrator.

But I'd like to grant access for another group, in theory:

chmod -R 777 <FOLDERNAME> <GROUPNAME> <– yup, this is what I'm thinking

Best Answer

You need ACLs. First of all, your filesystem must be mounted with that option. You can remount it with that option with:

# mount -o remount,acl /mount/point

If you want this option static (available after each reboot):

# vi /etc/fstab
#...
/dev/partition  /mount/point  fstype  defaults,acl 1 2

The important part here, is ",acl" in the options column. Everything else you can ignore.

The you need to install acl package, and use setfacl. To set defaults for a directory (every new file and subdir created will have those acls):

# setfacl -d -m u::rwx,u:user1:rx,g::rx,g:group1:rwx,g:group2:rx,o::- directory

Creation user has full permissions
user1 has only read an execute
same for default group
group1 has read execute and write access
group2 read and execute
others have no chance in here

You should now, set permissions on this directory (yes, just strip -d option):

# setfacl -m u::rwx,u:user1:rx,g::rx,g:group1:rwx,g:group2:rx,o::- directory

NOTICE that if there are any contents in this directory, permissions MUST be explicitly set. You could use find to set up permissions correctly (remember, directories must have read and execute access for people to access/list them). For a start on that subject, find ./ -type d give you subdirectories in current location and the following will setup default permissions for each one of this:

# find ./ -type d -exec setfacl -d -m <acl> \{} \;

<acl> should be the desired acl
\{} \; is an escape sequence for find.

If you want to check permissions inherited by created files and directories, use getfacl

You could also use the -R|--recursive switch, but that would mess up with files and directories permissions.

Related Solutions

Write-only access that can see the files present

Giving read permissions on the directory (but not the files) should allow the users to see the filenames but not read the individual files. So your permissions on the directory would be 666, but on the files it would be 600 (assuming you want students to be able to read their own files, otherwise it would be 200). I don't know any way of doing it in OSX so that they can only see the files they submitted. The thing you have to be careful of (and I am a Unix admin, not an OSX admin, so I am not sure how to do it in OSX), is that you need to make sure that the directory permissions don't become the default permissions for the file in the directory.

How to Fix File Permissions in a User’s Home Directory on Ubuntu

This should do the trick:

find /home/user -type d -print0 | xargs -0 chmod 0775
find /home/user -type f -print0 | xargs -0 chmod 0664

Best Answer

Related Solutions

Write-only access that can see the files present

How to Fix File Permissions in a User’s Home Directory on Ubuntu

Related Topic