1

I have the following directory structure:

+ public/
|-+ pics/
| |-- a
| `-- b
`-+ thumbs/
  |-- a
  `-- b

I would like all the files in the tree to be owned by gallery:http with ug=rwX,o= mode set.

The script which happens to create directories within pics and thumbs runs as the gallery user. I set SUID/SGID bits on public, pics and thumbs.

Now the problem is that the a directory will get created with owners gallery:http as it should, but it won't have the x permission for the group. If I call chmod, I'll clear the SGID bit. (Strange behavior, but that will really happen, likely because http is not the user-owner of the file.)

I can't call chown as non-root user to set mode first and then the owners.

The only solution seems to be to set umask to ug=rwx,o=, create all the directories and then either change the umask before I create any regular file, or create the regular files and then change their mode to ug=rw,o=.

Is there a better, less ugly solution which I don't see?

David
  • 268
  • 2
  • 9
  • "If I call chown, I'll clear the SGID bit" You probably meant `chmod`. But that does not make any sense. A file or directory has the UID of the creating process as owner. So if you create a directory then you can set SGID afterwards on it. – Hauke Laging Aug 23 '17 at 20:19
  • What is your `umask` setting? – Andrew Henle Aug 23 '17 at 21:13

2 Answers2

2

If you can change the script it might be the easiest solution to change the mkdir calls to mkdir --mode=770.

If you cannot change the script then ACLs might help:

setfacl -m d:u::rwx,d:g::rwx,o::- pics thumbs

umask does not set executable permission on files. It never sets any permissions; it just prevents permissions from being set on file creation.

Hauke Laging
  • 88,146
  • 18
  • 125
  • 174
1

You have a few options:

  • chmod g+x a
  • change the umask
  • use access control lists.

Yes you can set bits without clearing other bits. See first option. But to make it more automated, then do one of the following:

  • Set umask to rwxr-x---, and have each user have a private default group (their primary group only belongs to them).
  • Use access control lists: with these you can not only set permissions for multiple groups and users, you can also set defaults for directories (much like sgid, however not just the group, but also the mode). see setfacl, getfacl. see also What are the different ways to set file permissions etc on gnu/linux
ctrl-alt-delor
  • 27,473
  • 9
  • 58
  • 102