Linux - Set default permissions when creating new Files with SSH/FTP

Ryan

2 years ago

Yesterday we have published an article explaining how to set a default group when creating, uploading, or adding new files in Linux: in this post, we'll further expand on that topic by learning how we can do the same for permissions.

The Issue

The problem we want to fix is very similar to the one related to the default group: every time you upload some new files to a folder (such as var/www) that has specific group access (such as www-data) using your favorite SSH or FTP(s) client, those files are created with a default permission set (typically read-only) instead of having the read, write and/or execute permissions like we would like to.

The Fix

To set a default permission set we can use setfacl, a built-in command that can be used in most Linux distributions to set file access control lists.

Here's how we can use setfacl to set a default permission set for the existing group owner (such as www-data) for the /var/www folder:

setfacl -m g::rwX /var/www

1	setfacl -m g::rwX /var/www

and here's how we can use setfacl to set a default permission set for the same folder:

setfacl -d -m g::rwX /var/www

1	setfacl -d -m g::rwX /var/www

Once we do that, all existing and new files created in the /var/www directory will be automatically given the rwX (read, write, and execute for directories only) permission set for the www-data group. If we execute both of the above commands, we can effectively set up a permissions policy for that folder (and all the subfolders).

However, it's worth noting that the above commands will only change the behavior of the root /var/www folder - not the sub-folders within it. If we want to apply the same behavior for the whole directory tree - the /var/www folder and all subfolders - we need to execute a recursive approach using the -R switch in the following way:

setfacl -R -m g::rwX /var/www
setfacl -R -d -m g::rwX /var/www

1 2	setfacl -R -m g::rwX /var/www setfacl -R -d -m g::rwX /var/www

That's it.

Using a script

If you have a lot of folders (or servers) which you want to apply this fix to, you might want to perform this task with the help of a bash script.

Here's the set_default_group.sh script we are using in our web servers, which combines the script that we have seen in our previous post and these new commands:

#!/bin/bash
#
# This script configures a given folder (and all subfolders) permissions so that each file/folder created there will have the www-admins group by default.
# ref: https://www.ryadel.com/en/linux-set-default-group-creating-new-files-ftp-ssh-ubuntu/
#
# execute it with the following command:
# bash set_default_group.sh /var/www www-data
#
FOLDER=$1 # <-- root folder
GROUP=$2 # <-- group 

find ${ROOT} -type d -exec chgrp ${GROUP} {} +;
find ${ROOT} -type d -exec chmod g+s {} +;

# Gives ${GROUP} rwX permissions for existing files and folders, recursively
setfacl -R -m g::rwX ${ROOT}

# Gives ${GROUP} rwX permissions by default, recursively.
setfacl -R -d -m g::rwX ${ROOT}

#!/bin/bash

# This script configures a given folder (and all subfolders) permissions so that each file/folder created there will have the www-admins group by default.

# ref: https://www.ryadel.com/en/linux-set-default-group-creating-new-files-ftp-ssh-ubuntu/

# execute it with the following command:

# bash set_default_group.sh /var/www www-data

FOLDER=$1 # <-- root folder

GROUP=$2 # <-- group

find ${ROOT} -type d -exec chgrp ${GROUP} {} +;

find ${ROOT} -type d -exec chmod g+s {} +;

# Gives ${GROUP} rwX permissions for existing files and folders, recursively

setfacl -R -m g::rwX ${ROOT}

# Gives ${GROUP} rwX permissions by default, recursively.

setfacl -R -d -m g::rwX ${ROOT}

Feel free to use it!

Conclusions

We hope that this small piece of advice will help other system administrators to enforce a default permission set for their folders.

Print Friendly & PDF Download