System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

assign multiple groups to a folder :(

SOLVED
Go to solution
iinfi1
Super Advisor

assign multiple groups to a folder :(

hi all

is it possible to assign multiple groups to a folder?

eg i have a folder /shared
i want the folder to be accessible by users from groups g1,g2,g3.

i can add a user to multiple groups but cannot assign a file/folder to multiple groups.
case:
i am in the process of creating a linux server which is joined to windows AD domain.
windows desktop users who are authenticated with the windows AD are directed to shared folders on the linux file server.
i have say, share1 share2 share3 mapped to IT, Finance, Sales depts.

so in case i need to share the folder share2 with heads of IT and Finance and other members of the management, then its better off to add the head of IT and Finance to the folder group and add the group containing the members of the management to the folder group.
hope i am making it clear.
any clues?
13 REPLIES
Ivan Ferreira
Honored Contributor
Solution

Re: assign multiple groups to a folder :(

You should try to keep access rights by using just group membership and default group permissions for the folder.

If you cannot accomplish what you desire with this, then you must use ACLs. Check the setfacl/getfacl commands.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Steven E. Protter
Exalted Contributor

Re: assign multiple groups to a folder :(

Shalom,

ACL is the way to go.


http://www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf

http://www.vanemery.com/Linux/ACL/linux-acl.html

I'm not a big fan of ACL, but this is how it should work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

thank you ivan and steven.
i will check how ACLs work here in my case.

you said "i am not a fan of ACLs"
is it because management becomes difficult with ACLs?

if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?
Ivan Ferreira
Honored Contributor

Re: assign multiple groups to a folder :(

>>> is it because management becomes difficult with ACLs?

Yes, first of all, you cannot identify which permissions are in effect without checking with getfacl. You mus ensure that your backup tool supports ACLs saving and restoring. When you copy/move/restore a file, you mus ensure that ACLs are retained.

Also, you must take special care with defaults ACLs for new files.

>>> if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?

That is just my opinion and may be different for others.

The question is, why IT, Finance and Sales should share the same folder with full control each one? I mean, it's logical for the finances folder to give full access to finance group, but sales group should not have full access.

In that case, if you need a "shared" directory, create a new one, with a group "shared" as the owner, and users members of finance;shared or sales:shared.

They will have their own folder (secure) and a shared folder.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
dirk dierickx
Honored Contributor

Re: assign multiple groups to a folder :(

you need to reverse your logic and your problem is solved.

create a new group, add all required users to this group, make this new group owner of the mentioned directory. problem solved.


you could fiddle around with acl's as well (as mentioned in previous posts), but i prefer not to use those until really hard and specific right management comes into place (which is hardly the case).
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

thank you all :)
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

i know this is an old thread which i am bumping. apologies if its against forum rules.
now, i have a client for whom i feel i will definitely need to use ACLs.
i am creating a RHEL file server with windows workstation users authenticating from windows AD. i have joined RHEL box with AD (samba+winbind) and mapping drives for users from windows logon scripts.
they have about 300-500 users forming different groups.
Among these groups they have users who will have r-x on certain folders. Certain users who will have rwx on the same set of folders.
the above i feel is not possible to achieve without ACLs. Correct me if i am wrong.

>> does linux have any good GUI to actually assign these ACLs for users?
The client doesnt have a linux person at his place. i can do the configuring all right with setfacl and check with getfacl, but the client finds it messy.

>> any good backup software which supports backup and restore with ACLs??

any comments welcome
thank you..
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

i installed KDE where i could set ACLs on the fileserver using the GUI itself.
so that should solve the problem for the time being.

Meanwhile i found a limitation, or more so i am not sure if thats the way ACLs work.

i have a group gr1
i have users in the group u1,u2,u3

Using ACLs, for a folder /shares/it I assign rwx to u1
and --- to gr1.
it still allows u1 rwx access to the folder. my feeling is since gr1 has been restricted access to the folder the restrict access should take precedence over allow access to u1.
could someone please clarify?
Steven Schweda
Honored Contributor

Re: assign multiple groups to a folder :(

> [...] precedence [...]

ACL = Access Control _List_. What is the
_order_ of the access control entries in the
list? (Which one _precedes_ the other?)

What happens if you change the order?

As usual, showing actual commands with their
actual output can be more helpful than vague
descriptions.
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

[root@fs ~]# getfacl /shares/it/
getfacl: Removing leading '/' from absolute path names
# file: shares/it
# owner: itadmin
# group: it
user::rwx
user:u1:rwx
user:u2:rwx
user:u3:rwx
user:u5:rwx
user:u6:rwx
group::r-x
group:gr1:---
mask::rwx
other::---

i use setfacl and getfacl to set ACLs
here in the above case i have users u5 and u6 in the group gr1.
as gr1 has no privileges to the folder u5 and u6 also should not have any privileges.
but whn i log in as u5 or u6 i have full rights on the folder.
restrict privileges does not take precedence over the other privileges. :(
Ivan Ferreira
Honored Contributor

Re: assign multiple groups to a folder :(

In linux, normally the permissions are evaluated starting with user permissions, then no other permissions evaluated, then group permissions, the no permissions, and the other permissions. If you follow that rules for ACLs, then if it's granted to the user, the access will be allowed.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

ohhhhhhkkk...
thank you ivan ... thanks a lot
iinfi1
Super Advisor

Re: assign multiple groups to a folder :(

lastly, if the backup software doesnt support ACLs, is it advisable to take a backup of the ACLs in a file and backup that also.
so that if the linux file server crashes we can restore the files from the tape and with the ACL backup, restore the permissions?

getfacl -R /shares/it >> file.txt

and while restoring
setfacl --restore=file.txt