19

I don't want the shared folder to be accessible by anyone on the system, I want it to be accessible just to a restricted set of users.

How to I do that?

Andrea Corbellini
  • 15,826
Emanuele
  • 193
  • 1
  • 1
  • 7

1 Answers1

33

Taken from this excellent post on Ubuntu Forums by Morbius1.

The classic Linux way of doing this sort of thing goes something like this:

  1. Create the shared folder:

    sudo mkdir /home/Shared

  2. Create the new user's group:

    sudo addgroup newgroup

  3. Change ownership of the shared folder to the new group:

    sudo chown :newgroup /home/Shared

  4. Add your desired users to that group:

    sudo adduser user1 newgroup

Repeat for all users.

Now you have some decisions to make about what you want those users to be able to do:

  • [a] All group users can add to and delete from the folder and can read and but not write to each others files:

    sudo chmod 0770 /home/Shared

  • [b] Same as above but only the owner of the file can delete it:

    sudo chmod 1770 /home/Shared

  • [c] All group users can add to and delete from the folder and can read and write to each other's files:

    sudo chmod 2770 /home/Shared

  • [d] Same as [c] except only the owner of the file can delete it:

    sudo chmod 3770 /home/Shared

A 1 in the first position of the chmod command is the sticky bit which prevents deletion of a file to anyone other than the owner.

A 2 in the first position of the chmod command is the setgid bit which forces all new or copied files to have the group of that folder.

A 3 in the first position of the chmod command is the combination of the sticky (1) & setgid (+2) bits.

There is one caveat to all this as far as the setgid bit is concerned. All new files created in and any files copied to that folder will in fact inherit the group of the folder. But not files moved to that folder. Moved files retain the ownership from wherever they were moved from. One way to get past this problem is to use bindfs.

Finally if you want others outside the group to be able to see the files but not change them change the final 0 in the chmod command to a 5 eg: 

sudo chmod 0775 /home/Shared
Andrea Corbellini
  • 15,826
Warren Hill
  • 22,112
  • 28
  • 68
  • 88
  • Just curious, is normal create a Shared folder within the /home directory? or exists a better place to be shared among the users? - because at a first glance other user (a new one) can assume that Shared is simply other user – Manuel Jordan Sep 09 '21 at 15:57
  • 2
    Depending on your system's umask value, you may have to do setfacl -d -m g::rwx /home/Shared to make sure new files and subdirectories have group write permission. – Mike Oct 06 '21 at 23:40
  • [b] The owner of the Shared directory can delete other files too. OS: fedora 36 workstation. umask 022 – christianbueno.1 Sep 11 '22 at 22:40
  • 2
    To take effect, the users must log off and log in again. – JoyfulPanda Sep 12 '22 at 14:32
  • Why does [a] forbid writing to others' files? I thought having write permission on the directory allows one to write to the files in it? – palapapa Mar 13 '23 at 05:27
  • as pointed out by @JoyfulPanda, users must log off and log in again, it should be mentioned in the answer since people (like me) might have a really frustrating and puzzling time following this (very correct, yet not complete to the fullest) answer and having things not working as expected. – Ar3s Nov 03 '23 at 10:08
  • This did not work as advertised when trying to share a folder on Ubuntu 22.04
    The resulting folder permissions were: drwxrwsr-x+ 2 root newgroup 4096 Mar 27 13:06 Shared To fix it, I had to give write permission to "other" so that it became: drwxrwsrwx+ 2 root newgroup 4096 Mar 27 13:06 Shared Why were the group permissions alone not sufficient in this case?

    Thanks!

     – Sebastian Mar 27 '24 at 19:02