Yesterday we have published an article explaining how to set a default group when creating, uploading, or adding new files in Linux: in this post, we'll further expand on that topic by learning how we can do the same for permissions.
The Issue
The problem we want to fix is very similar to the one related to the default group: every time you upload some new files to a folder (such as var/www) that has specific group access (such as www-data) using your favorite SSH or FTP(s) client, those files are created with a default permission set (typically read-only) instead of having the read, write and/or execute permissions like we would like to.
The Fix
To set a default permission set we can use setfacl, a built-in command that can be used in most Linux distributions to set file access control lists.
Here's how we can use setfacl to set a default permission set for the existing group owner (such as www-data) for the /var/www folder:
1 |
setfacl -m g::rwX /var/www |
and here's how we can use setfacl to set a default permission set for the same folder:
1 |
setfacl -d -m g::rwX /var/www |
Once we do that, all existing and new files created in the /var/www directory will be automatically given the rwX (read, write, and execute for directories only) permission set for the www-data group. If we execute both of the above commands, we can effectively set up a permissions policy for that folder (and all the subfolders).
However, it's worth noting that the above commands will only change the behavior of the root /var/www folder - not the sub-folders within it. If we want to apply the same behavior for the whole directory tree - the /var/www folder and all subfolders - we need to execute a recursive approach using the -R switch in the following way:
1 2 |
setfacl -R -m g::rwX /var/www setfacl -R -d -m g::rwX /var/www |
That's it.
Using a script
If you have a lot of folders (or servers) which you want to apply this fix to, you might want to perform this task with the help of a bash script.
Here's the set_default_group.sh script we are using in our web servers, which combines the script that we have seen in our previous post and these new commands:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 |
#!/bin/bash # # This script configures a given folder (and all subfolders) permissions so that each file/folder created there will have the www-admins group by default. # ref: https://www.ryadel.com/en/linux-set-default-group-creating-new-files-ftp-ssh-ubuntu/ # # execute it with the following command: # bash set_default_group.sh /var/www www-data # FOLDER=$1 # <-- root folder GROUP=$2 # <-- group find ${ROOT} -type d -exec chgrp ${GROUP} {} +; find ${ROOT} -type d -exec chmod g+s {} +; # Gives ${GROUP} rwX permissions for existing files and folders, recursively setfacl -R -m g::rwX ${ROOT} # Gives ${GROUP} rwX permissions by default, recursively. setfacl -R -d -m g::rwX ${ROOT} |
Feel free to use it!
Conclusions
We hope that this small piece of advice will help other system administrators to enforce a default permission set for their folders.