7

I have system-wide default permissions set with umask 027. I am in the need to make a directory whose sub-directories would need 775 permission and whose files would need 664 permissions and make these permissions permanent after booting the system.

I am looking for the best options out there without compromising security. Any ideas?

Let me explain the situation: I have a default permission of 027 (system-wide) and I want apache2 to write to a directory (it's directory) that should be 022 in order for other user (let's say... another daemon such as Flash Media Server to stream a video) to access and run it. ¿Any good ideas? (FMS should be able to run videos from new directories made by apache2).

Thank you.

Some research done:

  1. sudo chfn -o "umask=002" daemon_username
  2. bash script running at boot with umask 022 on the desired directory

  3. add in /etc/fstab (take special care with line 2 related to bind) [TESTED and NOT WORKING]:

    IP_NFS_Volume:/nfs_mount  /local_tempmount  nfs   tcp,nolock,intr,rsize=8192,wsize=8192
/local_tempmount          /desired_mount    none  bind,dmask=0002,fmask=0002

P.S. I am looking for a console command, a script (even a periodic command run from cron), but something run without X11.

enzotib
  • 93,831
Cormite
  • 151
  • Why do you think permission of files/directories can change after reboot? – enzotib Nov 25 '11 at 15:47
  • Enzotib, in fact they won't change. Let me explain the situation. Let's say I have a default permission of 027 (system-wide) and I want apache2 to write to a directory (it's directory) that should be 022 in order for other user (let's say... another daemon such as Flash Media Server to stream a video) to access and run it. ¿Any good ideas? (FMS should be able to run videos from new directories made by apache2). – Cormite Nov 25 '11 at 16:11
  • In the original post there was no mention to NFS, nor other special filesystem. My answer was related to local filesystems supporting acl, like ext4. – enzotib Nov 28 '11 at 16:41
  • NOTE: If you are creating secure (or hardened) web hosting, and need secure file sharing, you should be using chroot. It was developed for precisely this purpose. See: How to chroot Ubuntu+1? http://askubuntu.com/questions/56687/how-to-chroot-ubuntu1 – david6 Nov 28 '11 at 19:38
  • @enzotib, you are correct. Sorry for the misunderstanding. However, ACL is not what I am looking for, and still your explanation (even though it is good and sufficient) is given for a X11 system with nautilus. I am looking for a step to step (or at least very clear) solution from the command-line. Thank you for your answer and sorry again for the misunderstanding. – Cormite Nov 28 '11 at 20:50
  • No problem, just would to precise that point 1 of my answer is a command line solution, though not expanded – enzotib Nov 28 '11 at 21:03
  • @enzotib It would be great if you could explain that command-line solution. I will be more than glad to give you those 50 bounty points in that case (you really deserve them). To be honest, I have never worked with ACL and I am doing the homework now. But I am talking about a production server and no errors are allowed. That's the reason why I am requesting such detailed information for this case. Thank you for your understanding. – Cormite Nov 29 '11 at 07:32
  • @CarlosFernándezSanMillán: I am reluctant to expand the point 1, because it require time, that I do not have just now, and it probably do not apply to NFS. – enzotib Nov 30 '11 at 08:58
  • @enzotib I understand. Thank you very much for your time. I really appreciate your answer. If no one gives a better (more detailed) answer which suits my needs consider the 50 bounty points yours for your effort. Thank you again. – Cormite Nov 30 '11 at 11:31

1 Answers1

8

You could try to use POSIX ACL (access control lists), that allow to set ad hoc permissions for additional users and groups (other than owner user and owner group), and furthermore allow to set default permissions for new object created in a directory.

To this end you could use at least two alternatives:

  1. the package acl for command line tools (getfacl, setfacl, chacl),

  2. the package eiciel that provide both a GUI interface

    enter image description here

    and the possibility to change ACL directly from Nautilus (right click on an object, then Properties, then Access Control List tab).

    enter image description here

    Is also provide some brief but meaningful help pages.

enzotib
  • 93,831
  • This could help. I do not run the server with any kind of X11 so using Nautilus or any other GUI file manager would not help. In fact, I could not even forward X11 through SSH tunnel since it is not allowed. I guess ACL could be an answer although this is the only case I would really need it in the whole system. Don't you think there should be a more straightforward solution? Thank you very much for your great support. – Cormite Nov 25 '11 at 17:01
  • 1
    @CarlosFernándezSanMillán: so the command line tools are the way to go. I think is the cleaner solution, only apparently difficult. – enzotib Nov 25 '11 at 17:34
  • It is the cleaner ... you are right. Again you are right about difficulty ;) – Cormite Nov 25 '11 at 18:05