Setup a shared folder
Groups in mc2
In mc2, all users belong to the group users (this is the main group with
group identifier, gid=100), plus up to two secondary groups. The name of the
first secondary group is the user name itself. The name of the other secondary
group is the user name of another user, possibly a scientific supervisor
(these groups are defined upon user creation and cannot be changed).
Groups to which a user belongs can be listed with:
[myself@hn]$ groups
users myself anotheruser
More info about a group, for instance about the secondary group myself,
can be found with:
[myself@hn]$ getent group myself
myself:x:1001:myself,anotheruser
The above tells us that the gid of group myself is 1001, and it joins users
myself and anotheruser.
ACL - Access Control Lists
Access control list (ACL) provides a flexible mechanism for controlling
access permissions to file systems. See more details in
here.
We can use setfacl and getfacl modify and inspect current ACLs of files
and directories.
To show the current permissions of a file/directory:
[myself@hn]$ getfacl path/to/file.txt
# file: path/to/file.txt
# owner: myself
# group: users
user::rw-
group::r--
other::---
The above are the three base ACL entries for the user, group and other
(which canot be removed). They can however be changed, either using
setfacl or the chmod (see in
here
for further details).
Additional ACLs can be attributed to files/directories. A practical syntax for setting permissions for a user (u), group (g) or other users (o) to act on an arbitrary path (directory or file) is:
[myself@hn]$ setfacl --modify user:<user>:<permissions> <path>
[myself@hn]$ setfacl --modify group:<group>:<permissions> <path>
[myself@hn]$ setfacl --modify default:other:<permissions> <path>
where <user> and <group> specify the user and group which will be granted permissions to <path>.
The tag default can also be prepended to the ACL entry, for instance, use
default:user:<user>:<permissions>, to grant permissions for new files
and directories created within a specific path. You can also add the
--recursive option to recursively affect all files and directories
under <path>.
The <permissions> field is a three-characteri sequence that indicate the
read (r), write (w), and execute (x) permissions. Dash (-) characters in the
<permissions> field are ignored. The character X stands for the execute
permission if the file is a directory or if it already has execute permission
for some user.
Sharing files and directories
Suppose you have a folder at /path/to/shared/folder which you want to
share with user someuser. More specifically, you actually want someuser
to have:
- Read and write permissions to files within that folder.
- Entry permissions to folders and execution permission to binaries.
- Preserve the above permissions to all new files/directories by setting them as default.
Change the current directory the shared folder:
[myself@hn]$ cd /path/to/shared/folder
Make sure that the existing files/folders have the correct ownership and base permissions. For example, you could use the commands below:
[myself@hn]$ chown myself: .
[myself@hn]$ find . -type f -exec chmod 644 {} \;
[myself@hn]$ find . -type d -exec chmod 755 {} \;
If you are making the share from scratch, remove any pre-existing ACLs:
[myself@hn]$ setfacl --recursive --remove-all .
Add permissions to read, write, execute (only to files with this flag on their base permissions) to the desired user:
[myself@hn]$ setfacl --recursive --modify user:someuser:rwX .
Setup the default permissions for files created by the user:
[myself@hn]$ setfacl --recursive --modify default:user:someuser:rwX .
Finish by making sure that the user someuser can reach
/path/to/shared/folder. You may have to change permissions to your
/home/myself folder. If you share your secondary group with someuser,
you could grant it read/execution permissions of /home/myself:
[myself@hn]$ chmod 750 /home/myself
Of course, that will also grant the same permissions to anyone in that group.
Alternatively, you can set a specific ACL to give entry permission to
someuser alone,
[myself@hn]$ setfacl --modify user:someuser:r-X /home/myself