UNIX Group Directory -- Info, Hints and Tips... ------------------------------------------------------------------------------ Read the manpages for "ls" and "chmod" for full information on UNIX groups. Though it can be quite hard to puzzle it all out from that source, which is why I created this summary page. ------------------------------------------------------------------------------ Every file is owned by someone (who created it), belongs to a group (usually the gid of the creator -- see note below), and has certain access permissions for owner, group, and others A long listing will display this information about a file... :::prompt:::> ls -l -rw------- 1 anthony staff 1598 Jul 29 23:20 my_file drwxr-xr-x 19 anthony staff 1536 Aug 12 14:05 public_html Access to a file or sub-directory is then determined by the permissions of that file. 'ls' permissions You own the file, (you created it) owner permissions determines access -rwx------ The file's group is in your groups list group permissions of the file apply ----rwx--- You nether own or belong to the files group other permissions of the file apply -------rwx All users of the system have a "uid" (login name), "gid" (login/current group) and membership of a "groups" list The "uid" is who you are (name and number) IE: your account login The "gid" is your initial ''login group'' you normally belong to. The "groups" list is the file groups you can access via group permissions To find out about this information you can use the two commands id List your user (login) name and current UNIX groups groups List just the UNIX groups you belong to When you create a new file or directory the owner is set to you and the group to your current group (usually your ''login group''). Group commands... chgrp Change the group a file belongs to ( only owner can apply ) This is important if you 'moved' a file into the Group directory. This is the command you will likely need to use. newgrp Start a shell with a different UNIX group as the primary group. This group is then used when creating NEW files, UNLESS you are in a directory with the 's' flag set ('set-gid' flag), in which case the group of the directory itself will be used for NEW files. Because of that 'set-gid' flag you rarely have to use this. sg Run a command with a specific UNIX group as its primary group. Also something that is rarely used. Also when you create a new file or directory the permissions is set according to a inverse of a special value called the "umask" (see manpage). chmod Change the current permission of a file (only owner may apply) Typical values used by the command (for group directories)... chmod 2700 directory private directory - only you can use chmod 2770 directory group usable directory chmod 2775 directory group write, but publicly accessible (www) chmod 600 file private data file chmod 660 file group usable (read/write) files chmod 664 file group write and publicly readable (www) chmod 700 command executable script of binary (private) chmod 755 command public script (CGI perl script) chmod 711 command public binary (compiled code) This is the command you will like need to use! umask Command to view and change your current umask. Which turns off the permissions represented when creating NEW files/dirs. Typical values... 77 Only you can read/write/access/execute 22 anyone read/access but only you can write 7 only you and group have read/write/access 2 you and group can write, others only read By default your "umask" should be set to 77 (some machines use 22) It is rare for a user to need to change his default umask setting. stat List a files permissions as a number (as well as other details) This may be better that the "ls" output of permission flags. More for script usage (compare permissions), rarely used by users. Special Directory Permission flag for UNIX group shared directories.... Normally the 'login group' of the person creating the file sets the group the new file belongs to. However a special flag can be set for a directory so that any file created in that directory will be given the same group as that directory. This is the ''Set-GID'' flag on a directory, and can be set with the command.. chmod g+s directory In a directory listing the group 'x' permission will then appear as an 's' to show that the directory has this ''Set-GID'' flag set. The 's' flag on directories is only important for shared group directories, so that any NEW file created in the directory will have the correct group. NOTE: This does not apply to an existing file that is 'moved' into the directory. That is the file was not created, just 'moved'. File groups should be checked every so often to ensure that do have the right group. ------------------------------------------------------------------------------ DIY Guide to creating a UNIX Group Directory... Get the root user (superuser) to... Create the UNIX group and membership Create the shared group directory Set UNIX group permissions for that top level directory The rest you can do yourself... Set all files and directories in that directory to belong to that group (the -R is recursive) -- this is usually also done by the super-user. chgrp -R group dir Set top level directory permissions (should be done for you) chmod 2775 dir Change that 5 to a 0 to disable non-group member access The '2' is to set the SGID flag for directories (see chmod). Then if you already have files in that directory you can set the ALL the files and directories permissions using... Make files rw to owner and group (4 become 0 to disable world read)... find dir -type f -print | xargs chmod 664 (now fix any executable file permissions) Then for directories set rwx access for owner and group... (Change that 5 to 0 to disable world read and access) find dir -type d -print | xargs chmod 2775 The '2' is to set the SGID flag for directories (see chmod). WARNING: Do NOT do this for files. The SGID flag has a very different meaning for files!!! This should be automatically done for you by the system. If you want to set the SGID flag separatally you can use... find dir -type d -print | xargs chmod g+s ------------------------------------------------------------------------------