System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

assign multiple groups to a folder :(

 
SOLVED
Go to solution
Highlighted
Super Advisor

assign multiple groups to a folder :(

hi all

is it possible to assign multiple groups to a folder?

eg i have a folder /shared
i want the folder to be accessible by users from groups g1,g2,g3.

i can add a user to multiple groups but cannot assign a file/folder to multiple groups.
case:
i am in the process of creating a linux server which is joined to windows AD domain.
windows desktop users who are authenticated with the windows AD are directed to shared folders on the linux file server.
i have say, share1 share2 share3 mapped to IT, Finance, Sales depts.

so in case i need to share the folder share2 with heads of IT and Finance and other members of the management, then its better off to add the head of IT and Finance to the folder group and add the group containing the members of the management to the folder group.
hope i am making it clear.
any clues?
13 REPLIES 13
Highlighted
Honored Contributor
Solution

Re: assign multiple groups to a folder :(

You should try to keep access rights by using just group membership and default group permissions for the folder.

If you cannot accomplish what you desire with this, then you must use ACLs. Check the setfacl/getfacl commands.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Highlighted
Exalted Contributor

Re: assign multiple groups to a folder :(

Shalom,

ACL is the way to go.


http://www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf

http://www.vanemery.com/Linux/ACL/linux-acl.html

I'm not a big fan of ACL, but this is how it should work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Highlighted
Super Advisor

Re: assign multiple groups to a folder :(

thank you ivan and steven.
i will check how ACLs work here in my case.

you said "i am not a fan of ACLs"
is it because management becomes difficult with ACLs?

if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?
Highlighted
Honored Contributor

Re: assign multiple groups to a folder :(

>>> is it because management becomes difficult with ACLs?

Yes, first of all, you cannot identify which permissions are in effect without checking with getfacl. You mus ensure that your backup tool supports ACLs saving and restoring. When you copy/move/restore a file, you mus ensure that ACLs are retained.

Also, you must take special care with defaults ACLs for new files.

>>> if i get you both right, you mean i sud use file and group permissions and only in cases where it doesnt fulfill my requirement, i sud use ACLs. am i right?

That is just my opinion and may be different for others.

The question is, why IT, Finance and Sales should share the same folder with full control each one? I mean, it's logical for the finances folder to give full access to finance group, but sales group should not have full access.

In that case, if you need a "shared" directory, create a new one, with a group "shared" as the owner, and users members of finance;shared or sales:shared.

They will have their own folder (secure) and a shared folder.
Por que hacerlo dificil si es posible hacerlo facil? - Why do it the hard way, when you can do it the easy way?
Highlighted
Honored Contributor

Re: assign multiple groups to a folder :(

you need to reverse your logic and your problem is solved.

create a new group, add all required users to this group, make this new group owner of the mentioned directory. problem solved.


you could fiddle around with acl's as well (as mentioned in previous posts), but i prefer not to use those until really hard and specific right management comes into place (which is hardly the case).
Highlighted
Super Advisor

Re: assign multiple groups to a folder :(

thank you all :)
Highlighted
Super Advisor

Re: assign multiple groups to a folder :(

i know this is an old thread which i am bumping. apologies if its against forum rules.
now, i have a client for whom i feel i will definitely need to use ACLs.
i am creating a RHEL file server with windows workstation users authenticating from windows AD. i have joined RHEL box with AD (samba+winbind) and mapping drives for users from windows logon scripts.
they have about 300-500 users forming different groups.
Among these groups they have users who will have r-x on certain folders. Certain users who will have rwx on the same set of folders.
the above i feel is not possible to achieve without ACLs. Correct me if i am wrong.

>> does linux have any good GUI to actually assign these ACLs for users?
The client doesnt have a linux person at his place. i can do the configuring all right with setfacl and check with getfacl, but the client finds it messy.

>> any good backup software which supports backup and restore with ACLs??

any comments welcome
thank you..
Highlighted
Super Advisor

Re: assign multiple groups to a folder :(

i installed KDE where i could set ACLs on the fileserver using the GUI itself.
so that should solve the problem for the time being.

Meanwhile i found a limitation, or more so i am not sure if thats the way ACLs work.

i have a group gr1
i have users in the group u1,u2,u3

Using ACLs, for a folder /shares/it I assign rwx to u1
and --- to gr1.
it still allows u1 rwx access to the folder. my feeling is since gr1 has been restricted access to the folder the restrict access should take precedence over allow access to u1.
could someone please clarify?
Highlighted
Honored Contributor

Re: assign multiple groups to a folder :(

> [...] precedence [...]

ACL = Access Control _List_. What is the
_order_ of the access control entries in the
list? (Which one _precedes_ the other?)

What happens if you change the order?

As usual, showing actual commands with their
actual output can be more helpful than vague
descriptions.