Situatie
The problem we want to fix is very similar to the one related to the default group: every time you upload some new files to a folder (such as var/www) that has specific group access (such as www-data) using your favorite SSH or FTP(s) client, those files are created with a default permission set (typically read-only) instead of having the read, write and/or execute permissions like we would like to.
Solutie
Pasi de urmat
To set a default permission set we can use setfacl, a built-in command that can be used in most Linux distributions to set file access control lists.
Here’s how we can use setfacl to set a default permission set for the existing group owner (such as www-data) for the /var/www folder:
|
1
|
setfacl –m g::rwX /var/www
|
and here’s how we can use setfacl to set a default permission set for the same folder:
|
1
|
setfacl –d –m g::rwX /var/www
|
Once we do that, all existing and new files created in the /var/www directory will be automatically given the rwX (read, write, and execute for directories only) permission set for the www-data group. If we execute both of the above commands, we can effectively set up a permissions policy for that folder (and all the subfolders).
However, it’s worth noting that the above commands will only change the behavior of the root /var/www folder – not the sub-folders within it. If we want to apply the same behavior for the whole directory tree – the /var/www folder and all subfolders – we need to execute a recursive approach using the -R switch in the following way:
|
1
2
|
setfacl –R –m g::rwX /var/www
setfacl –R –d –m g::rwX /var/www
|
Using a script
If you have a lot of folders (or servers) which you want to apply this fix to, you might want to perform this task with the help of a bash script. Here’s the set_default_group.sh script we are using in our web servers, which combines the script that we have seen in our previous post and these new commands:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
#!/bin/bash
# This script configures a given folder (and all subfolders) permissions so that each file/folder created there will have the www-admins group by default.
#
# execute it with the following command:
# bash set_default_group.sh /var/www www-data
#
FOLDER=$1 # <– root folder
GROUP=$2 # <– group
find ${ROOT} –type d –exec chgrp ${GROUP} {} +;
find ${ROOT} –type d –exec chmod g+s {} +;
# Gives ${GROUP} rwX permissions for existing files and folders, recursively
setfacl –R –m g::rwX ${ROOT}
# Gives ${GROUP} rwX permissions by default, recursively.
setfacl –R –d –m g::rwX ${ROOT}
|
Leave A Comment?