Getting new files to inherit group permissions on Linux

I am having a problem with permissions on a Linux server. I am used to BSD. When a directory is owned by a group the user who owns it isn’t in such as www-data, files created in it will be owned by that group. This is important because I want files to be readable by the webserver (which I will not run as root) but so a user can still put new files in the directory. I can’t put the users in www-data because then they can read every other users websites.

I want the webserver to read all websites, I want users to be able to change their own.

The permissions are set like this on the folders at the moment….

drwxr-x--- 3 john www-data 4096 Feb 17 21:27 john

It is standard behavior on BSD for permissions to work this way. How do I get Linux to do this?

Asked By: John Tate


It sounds like you’re describing the setgid bit functionality where when a directory that has it set, will force any new files created within it to have their group set to the same group that’s set on the parent directory.


$ whoami

$ groups
saml wheel wireshark

setup a directory with perms + ownerships

$ sudo mkdir --mode=u+rwx,g+rs,g-w,o-rwx somedir
$ sudo chown saml.apache somedir
$ ll -d somedir/
drwxr-s---. 2 saml apache 4096 Feb 17 20:10 somedir/

touch a file as saml in this dir

$ whoami

$ touch somedir/afile
$ ll somedir/afile 
-rw-rw-r--. 1 saml apache 0 Feb 17 20:11 somedir/afile

This will give you approximately what it sounds like you want. If you truly want exactly what you’ve described though, I think you’ll need to resort to Access Control Lists functionality to get that (ACLs).


If you want to get a bit more control over the permissions on the files that get created under the directory, somedir, you can add the following ACL rule to set the default permissions like so.


$ ll -d somedir
drwxr-s---. 2 saml apache 4096 Feb 17 20:46 somedir

set permissions

$ sudo setfacl -Rdm g:apache:rx somedir
$ ll -d somedir/
drwxr-s---+ 2 saml apache 4096 Feb 17 20:46 somedir/

Notice the + at the end, that means this directory has ACLs applied to it.

$ getfacl somedir
# file: somedir
# owner: saml
# group: apache
# flags: -s-


$ touch somedir/afile
$ ll somedir/afile 
-rw-r-----+ 1 saml apache 0 Feb 17 21:27 somedir/afile

$ getfacl somedir/afile
# file: somedir/afile
# owner: saml
# group: apache
group::r-x              #effective:r--
group:apache:r-x        #effective:r--

Notice with the default permissions (setfacl -Rdm) set so that the permissions are (r-x) by default (g:apache:rx). This forces any new files to only have their r bit enabled.

Answered By: slm

As a complement to slm’s answer, note that, on an ext2/3/4 filesystem, you can replicate the BSD behavior you describe by using the bsdgroups mount option on the partition. From the mount(1) man page :

grpid|bsdgroups and nogrpid|sysvgroups
              These options define what group id a newly  created  file  gets.
              When  grpid  is  set,  it takes the group id of the directory in
              which it is created; otherwise (the default) it takes the  fsgid
              of  the current process, unless the directory has the setgid bit
              set, in which case it takes the gid from the  parent  directory,
              and also gets the setgid bit set if it is a directory itself.
Answered By: user60039

TL:DR; to make new files inherit the group of the container folder do:

$ chmod g+s somefolder

Note: its implied in the accepted answer, this is just a snippet.

Answered By: alo Malbarez
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.