🌐 🇵🇱 Polski · 🇬🇧 EN
Collaboration between groups is the essence of any business and a crucial element for any administrator working with users. Knowing how to configure group collaboration is a fundamental skill that every administrator should possess. We will explore the concepts of file and directory permissions, which will enable effective group collaboration.
- setuid - This flag is used to allow access for multiple users
- setgid - This flag enables access for multiple groups
- sticky bit - This flag prevents users or groups from accidentally deleting files
For group collaboration, two key commands are used:
- chmod - Change file and directory permissions
- chown - Change file or directory ownership
The first feature is "setuid", which is set on files by the owner using the "chmod" command. This setting authorizes the owner to execute the file. For example, if you have a script that generates a company report, the only person who can run it is User01, but you can change the "setuid" setting for other users so they can also execute the given script.
Let's create a report file:
# touch reporting_script
Next, let's set setuid:
# chmod 4755 reporting_script
We can achieve the same result by using the command:
# chmod u+s reporting_script
Now let's see the permissions for the file:
# ll
total 12
-rwsr-xr-x 1 user01 user01 0 Jun 8 17:20 reporting_script.sh
You can see that the "x" flag has been set for file execution by other users, who can now also execute the script.
How do you find files in the system that have permissions set in such a way that one user allows another to use the file?
# find / -perm 4000
Next, let's move on to "setgid", which is very similar to "setuid" but is significant for groups. According to this setting, all users in a given group receive the assigned level of permissions. Let's create a directory and assign the appropriate permissions.
Step 1 - As root, we create a directory
# mkdir /tmp/Sales
Step 2 - We create a group and add users to it
# groupadd Sales
# usermod -G Sales user02
# usermod -G Sales user03
Step 3 - We grant collaboration permissions (files created in the directory will default to the Sales group)
# chown nobody:Sales Sales/
# chmod 2770 /tmp/Sales or chmod g+s /tmp/Sales
Step 4 - We verify
# ll
total 16
drwxrws—- 2 nobody Sales 4096 Jun 8 18:11 Sales
In this setup, all users in the Sales group can read and write the contents of the directory. No one other than users in the Sales group can do anything in this directory. Each file created in this directory belongs to the user who created it, but everyone in the group can read and write it.
Finally, let's look at the "sticky bit", denoted by the symbol "t" at the end of the flag symbol list, which protects against accidental deletion of a file or directory.
Step 1 - Let's set the "sticky bit" on the /tmp directory
# chmod 1777 /tmp
Step 2 - Verification
# ll
total 16
drwxrwxrwt 3 root root 4096 Jun 8 18:11 tmp
Now, no user can delete the file; only you can do that. This option helps prevent file loss if we are working in a location shared by multiple users.
Comments