Note: This is an RHCSA 7 exam objective.
Let’s assume two users belonging to the team group, user01 and user02, who want to share a directory called shared.
Create the team group:
# groupadd -g 50000 team
Create the shared directory:
# mkdir /home/shared
Change the ownership of the directory:
# chown nobody:team /home/shared
Assign the set group ID bit (SGID) to the directory:
# chmod g+s /home/shared
Allow the members of the team group to write into the shared directory:
# chmod g+w /home/shared
Remove the permissions for all other users:
# chmod o-rwx /home/shared
Note: The three last commands can be resumed in only one to choose among these:
# chmod g+ws,o-rwx /home/shared # chmod 2770 /home/shared
Create the two users and assign them the team group in addition to their own group:
# useradd -G team user01 # useradd -G team user02
Note: This can be done in two steps:
# useradd user0X; usermod -aG team user0X
Check the configuration:
# su - user01 $ cd /home/shared $ touch nothing $ ls -l total 0 -rw-rw-r--. 1 user01 team 0 Nov 12 09:45 nothing
Finally, if you want the team group members to be able to see each other’s files but not to delete them, type:
# chmod +t /home/shared
Hi CertDepot,
When creating a group is it necessary to create a gid 50000 like in your example? What if on the exam the question will just only create a group and it did not mention to create an ID on it? Thanks!
I think it is better to create a specific group ID with a big number because this is a good way to remind you that there will be no user associated with this group.
Also, if you don’t choose a big number, the group ID will follow the previous group ID created and next time you create a user, user ID and group ID will be different numbers.
Thanks CertDepot for the response! 🙂
Hey Cert Depot – Can you expound on the relationship of umask on the SGID directory?
I think when adding users, if the UID is below 199, then the umask gets set to 022, which will produce files with permissions like “-rw-r–r–” and that’s not good for sharing . When I was following your tutorial, it was a bit confusing when you did “touch nothing” and then nothing picked up permissions “-rw-rw-r–”
For folks running into that behavior, check out http://www.linuxquestions.org/questions/red-hat-31/create-and-configure-set-gid-directories-for-collaboration-864091/
and read through /etc/profile and search for “umask” that might help with some confusion.
Taking my exam tomorrow – wish me luck!
-Brugz
Sorry for the delay. I’m on holiday very far from home.
I hope you passed.
Anything that GID can do that ACLs can’t ?
GID is easier to use and was created well before ACLs.
True, portability. Yes definitely simpler for permissions involving one group. But if it’ll involve more than one group I think it’s simpler to
chown root:root && chmod 0700
and start fresh with ACLs only