How to give read-only permission for specific user for specific folder in RedHat

digitalbiopharm · 12-24-2013, 07:57 AM

Question is about user permissions in RedHat. How to give read-only permission to specific user just to read a specific folder and its sub-folders and files?

How can I do it?
I ve tried:
chmod a+r -R folder
but it doesn t work - permission is still denied.

So, the situation is, I work under root, I have:
user1
user2
I need to user2 give an opportunity to read-only folder and all files and sub-folders of user1.
How can I do that?
I ve tried:
chmod user2 r -R user1

and it doesn t wotk either.
It still has permission as denied.

suicidaleggroll · 12-24-2013, 09:45 AM

The easiest way is probably to add user2 to user1's group, and then remove group write access from all of user1's files and directories.

Remember, in order to go into a directory and view its contents, you need both read and execute permission on the directory.

digitalbiopharm · 12-24-2013, 09:51 AM

Then user2 will have the same rights as user1, which I don t want. User2 should not be able to do anything with files in user1 folders, only to read.
I also can give ALL other users than user1, permission to read.
How to do that?

jamison20000e · 12-24-2013, 09:58 AM

Hi. What RH version and DE? Many times you can right click on a folder and go to a permission tab with check boxes... best wishes and have fun.
But, don't do this.

jamison20000e · 12-24-2013, 10:02 AM

^Sorry wrong link at first, I fixed it.^

suicidaleggroll · 12-24-2013, 10:03 AM

Quote:

Originally Posted by digitalbiopharm

Then user2 will have the same rights as user1, which I don t want.

No they won't, they'll only be able to do what you let them do with the group permissions. Presumably user1 would be the owner of the files/dirs, which has its own set of permissions.

Quote:

Originally Posted by digitalbiopharm

User2 should not be able to do anything with files in user1 folders, only to read.

Which is why I said to remove group write access from the files/dirs.

Quote:

Originally Posted by digitalbiopharm

I also can give ALL other users than user1, permission to read.
How to do that?

For that you would just grant read access for files and read/execute access for dirs for "other".

Each file and dir has an owner and a group. These do not necessarily have to be the same (and often aren't). Each file/dir also has read, write, and execute permission for three separate entities. The owner of the file has its own rwx set of permissions, any members of the same group have their own rwx set of permissions, and "everybody else" has their own rwx set of permissions.

When you use chmod, you can explicitly set the permissions for each entity separately.

Read access is a 4
Write access is a 2
Execute access is a 1

Add the access you want to get a number between 0 and 7. Then you can use chmod to set it for all entities like so:

Code:

chmod 750 file

That will give "7" (read/write/execute) permission to the owner, "5" (read/execute but not write) to any members of the same group, and "0" (no access) to everybody else.

jamison20000e · 12-24-2013, 10:13 AM

First hit: http://www.linux.org/threads/file-pe...ns-chmod.4094/

Madhu Desai · 12-24-2013, 10:55 AM

The best candidate for this is ACL. Following example is self-explanatory:

Code:

[root@server1 ~]# ls -l /home
drwx------. 2 dummy dummy  4096 Dec 24 22:04 dummy
drwx------. 2 root  root  16384 Dec 24 12:51 lost+found
drwx------. 2 user1 user1  4096 Dec 24 21:57 user1
drwx------. 2 user2 user2  4096 Dec 24 21:55 user2

[root@server1 ~]# su - user1

[user1@server1 ~]$ tree
.
├── MyProj
│   └── myfile
└── OurProj
    └── ourfile

[root@server1 ~]# mount -o remount,acl /home

[root@server1 ~]# mount | grep home
/dev/vda3 on /home type ext4 (rw,acl)

[root@server1 ~]# setfacl -m u:user2:x /home/user1
[root@server1 ~]# setfacl -R -m u:user2:r-x /home/user1/OurProj

[root@server1 ~]# getfacl /home/user1
# file: home/user1
# owner: user1
# group: user1
user::rwx
user:user2:--x
group::---
mask::--x
other::---

[root@server1 ~]# getfacl /home/user1/OurProj
# file: home/user1/OurProj
# owner: user1
# group: user1
user::rwx
user:user2:r-x
group::rwx
mask::rwx
other::r-x

[root@server1 ~]# su - dummy

[dummy@server1 ~]$ ls -l /home/user1
ls: cannot open directory /home/user1: Permission denied

[dummy@server1 ~]$ ls -l /home/user1/OurProj
ls: cannot access /home/user1/OurProj: Permission denied

[dummy@server1 ~]$ cat /home/user1/OurProj/ourfile
cat: /home/user1/OurProj/ourfile: Permission denied

[dummy@server1 ~]$ su - user2

[user2@server1 ~]$ ls -l /home/user1
ls: cannot open directory /home/user1: Permission denied

[user2@server1 ~]$ ls -l /home/user1/OurProj
-rw-rwxr--+ 1 user1 user1 20 Dec 24 21:57 ourfile

[user2@server1 ~]$ cat /home/user1/OurProj/ourfile
This is a test line

jamison20000e · 12-24-2013, 11:28 AM

@mddesai: Nice; I like that tree command unless in a largely populated directory

as far as "self-explanatory" for the

in me, somethings will need digging but in Linux I won't brake my back, awesome.

digitalbiopharm · 12-24-2013, 03:35 PM

Quote:

Originally Posted by suicidaleggroll

Read access is a 4
Write access is a 2
Execute access is a 1

Add the access you want to get a number between 0 and 7. Then you can use chmod to set it for all entities like so:

Code:

chmod 750 file

That will give "7" (read/write/execute) permission to the owner, "5" (read/execute but not write) to any members of the same group, and "0" (no access) to everybody else.

Thank you! That is almost what I was looking for.

How to do that with folder and all its contents?

chmod 750 folder -R

that way?

suicidaleggroll · 12-24-2013, 08:46 PM

Sure, but that would grant execute permissions to all of the files. I usually do it in two passes using find, first for the dirs, and then for the files

Code:

find folder -type d -exec chmod 750 "{}" \;
find folder -type f -exec chmod 640 "{}" \;

Of course you'd have to go back and add execute permission to any files that are supposed to have it.

digitalbiopharm · 12-28-2013, 03:36 AM

Protection from writing, means also that files cannot be deleted, or copied etc., right?
So, just read and executed? Then I ll just make it recursively.

digitalbiopharm · 12-28-2013, 08:33 AM

I did this under "root":

chmod 750 -R folder_name
and it is still not working, when I switch to another user.

suicidaleggroll · 12-28-2013, 09:57 AM

They can be copied, since all copying requires is reading. They just can't be deleted, edited, or overwritten without write permission. You shouldn't add execute permission to files that don't need it though.

750 permission means the file's owner can read/write/execute and any members of the file's group can read/execute. Was the other user you tested a member of the file's group?

digitalbiopharm · 12-28-2013, 01:07 PM

No, he wasn t. But I probably can try also 755? The everybody else can read and execute without being a member of the group?