How to set up up group specific folders in linux

I’m trying to create a segregated workspace for multiple groups, each group member should only be able to read, write and view their associated shared folder.

I’ve created 2 user groups groupATeam and groupBTeam to handle the permissions of users. I’ve also assigned the group permissions to the relevant project folders groupA and groupB.

#Check project folder permissions
admin@computer:/folder/data$ ls -al /folder/data | grep groupA
drwsrws--x 2 root groupATeam 4096 Jun 24 11:56 groupA
admin@computer:/folder/data$ ls -al /folder/data | grep groupB
drwsrws--- 2 root groupBTeam   4096 Jun 24 11:38 groupB

For the admin user who is in both groups, I can access both folders and subsequently read and write without issue.

#Check groups
admin@computer:/folder/data$ getent group groupATeam
groupATeam:x:1009:worker_3,worker_4,admin
admin@computer:/folder/data$ getent group groupBTeam
groupBTeam:x:1008:worker_1,worker_2,admin

#Check admin can access and write to groupA folder
admin@computer:/folder/data$ cd groupA/
admin@computer:/folder/data/groupA$ ls
test_file.txt  
admin@computer:/folder/data/groupA$ cd ..

#Check admin can access groupB folder 
admin@computer:/folder/data$ cd groupB/
admin@computer:/folder/data/groupB$ ls
test_file.txt

People in the groupA also seem to have the correct permissions, being able to access, read and write to their folder but not groupBs folder.

# Worker 3 is part of groupA team and therefore should only be able to interact with groupA folder but not groupB
worker_3@computer:~$ cd /folder/data/groupA/
worker_3@computer:/folder/data/groupA$ touch test_file101.txt
worker_3@computer:/folder/data/groupA$ ls
test_file.txt  test_file101.txt 
worker_3@computer:/folder/data/groupA$ vim test_file.txt

#Check non group member can acccess restricted groupB folder
worker_3@computer:~$ cd /folder/data/groupB/
bash: cd: /folder/data/groupB/: Permission denied
# This is the correct behaviour I'm looking for

The issue seems to be with users of the groupBTeam.

# Worker 1 is part of groupB team and therefore should only be able to interact with groupB folder but not groupA
worker_1@computer:/folder/data$ cd groupB/
worker_1@computer:/folder/data/groupB$ ls
test_file.txt  
worker_1@computer:/folder/data/groupB$ touch test_file101.txt
worker_1@computer:/folder/data/groupB$ ls
test_file.txt  test_file101.txt 

worker_1@computer:~$ cd /folder/data/groupA/    #This shouldn't work
worker_1@computer:/folder/data/groupA$ ls
ls: cannot open directory '.': Permission denied
worker_1@computer:/folder/data/groupA$ cd ..

# Incorrect behavior, I can access the groupA folder even though worker_1 isn't part of 
# this group

Members of groupBTeam can access groupA folder, which isnt the desired behavior.

Can anyone explain why I’m not getting the expected behaviour and how I can rectify it?

Fore refence, I followed these steps to set up the groups and folder permissions – https://www.tutorialspoint.com/how-to-create-a-shared-directory-for-all-users-in-linux

Asked By: Zizi96

||
Source

You have the execute bit set for others on the groupA directory:

drwsrws--x 2 root groupATeam 4096 Jun 24 11:56 groupA

That allows everyone to traverse the directory regardless of group membership. If you’ll notice, there are no bits set for others on the groupB directory where members of groupATeam can’t access it:

drwsrws--- 2 root groupBTeam   4096 Jun 24 11:38 groupB

To get what you want, remove the execute bit from the groupA directory with either of the following commands

chmod 2770 /path/to/groupA

chmod o-x /path/to/groupA

Neither the users in groupBTeam or anyone else will be able to access it.

If you want it to affect everything inside the directory including files:

chmod -R 2770 /path/to/groupA

chmod -R o-x /path/to/groupA
Answered By: Nasir Riley
Categories: Answers Tags: , ,
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.