Use ACL and SGID to make a group of users to work on the same directory and Linux file permission

Jephe Wu - http://linuxtechres.blogspot.com

Objective:  a parent directory called /shared is owned by db2inst1 (umask 022 only),  and 2 other users called jephe and zhitan are going to work on the this directory /shared. They should be able to read/write any files and directories under /shared each other, also be able to read/write files created by db2inst1 which means any files created by db2inst1 will have group-writable permission although its umask is 022.

Environment: RHEL 5 or CentOS 5

Preparation:
You can mount the partition with acl option by using 'mount / -o remount,acl'.
or

cd /path/to/directory; df . -> find out which mount directory, let's say it's /data, then mount /data -o remount,acl



Steps:
1. configure the permission 
When a new file is created on a Unix-like system, its permissions are determined from the umask of the process that created it.

[root@linuxtest /]# ls -ld shared  (let its group to have write permission so that jephe and zhitan can create files and directories under /shared, but any files created by db2inst1 itself will not be group writable because its umask is 022)
drwxrwsr-x 2 db2inst1 its 4096 Feb 20 10:22 shared

[root@linuxtest /]# usermod -G its jephe
[root@linuxtest /]# id jephe

uid=500(jephe) gid=500(jephe) groups=500(jephe),502(its)
[root@linuxtest /]# usermod -G its zhitan
[root@linuxtest /]# id zhitan
uid=501(zhitan) gid=501(zhitan) groups=501(zhitan),502(its)


 2. configure default acl permissions
[root@linuxtest /]# setfacl -d -m u:jephe:rwx,u:zhitan:rwx /shared
[root@linuxtest /]# setfacl -R -m u:jephe:rwx,u:zhitan:rwx /shared

Note:
The default ACL will be applied only for newly created files or directories under /shared directory. If you use only setfacl -d for the parent directory and user jephe and zhitan are still not able to write for this directory,

[root@linuxtest /]# getfacl shared
# file: shared
# owner: db2inst1
# group: its
user::rwx
group::rwx
other::r-x
default:user::rwx
default:user:jephe:rwx
default:user:zhitan:rwx
default:group::rwx
default:mask::rwx  (the mask defines the maximum permissions that can be given to users or group, if it's --x, means the user and group can get maximum permission is --x, if the user or group itself doesn't have x permission, then mean user and group will get effective permission as ---, aka nothing)
default:other::r-x

Now, any files or directories created by db2inst1 will have group writable permission although the umask for db2inst1 is 022, this is different from the case before setting setfacl. Also, user jephe and zhitan will be able to create files or directories under /shared.

or you can just set up mask permission as rwx, then any files created by db2inst1 will have group write permissions.
[root@linuxtest /]# setfacl -R -m d:m:rwx /shared  (modify mask as rwx)

A directory may contain default ACL entries. If a file or directory is created in a directory that contains default ACL entries, the newly created file will have permissions generated according to the intersection of the default ACL entries and the permissions requested at creation time. The umask will not be applied if the directory contains default ACL entries.

--------------umask explanation by example--------------
[root@linuxtest /]# setfacl -m m:r-- shared  (set shared directory itself mask as r--)
[root@linuxtest /]# getfacl shared
# file: shared
# owner: db2inst1
# group: its
user::rwx
group::rwx                      #effective:r--
mask::r--

other::r-x
default:user::rwx
default:user:jephe:--x
default:group::rwx
default:mask::rwx
default:other::r-x

[root@linuxtest /]# setfacl -d -m m:r-- shared  (set default mask as r--, means for any newly files/directories created under it )
[root@linuxtest /]# getfacl shared
# file: shared
# owner: db2inst1
# group: its
user::rwx
group::rwx                      #effective:r--
mask::r--

other::r-x
default:user::rwx
default:user:jephe:--x          #effective:---
default:group::rwx              #effective:r--
default:mask::r--

default:other::r-x
[root@linuxtest /]# ls -ld shared
drwxr-Sr-x+ 7 db2inst1 its 4096 Feb 20 13:18 shared

------------------end------------------------------------


3. remove all acl permissions
setfacl -R -b /shared

To remove all the permissions for a user, group, or others, use the -x option and do not specify any permissions:

setfacl -x <rules> <files>
To remove all permissions from the user jephe
setfacl -x u:jephe /shared
 
Linux file permissions:

Any program uses system calls to access files and directories.

1. directory:
You can imagine directory is like a datafile which conains a table, each row has filename and its inode number:

Read:  
This permissioin can only find out the name of the files under it , not inode and not other things stated in inode data structure
.

Write:  
This permission allows you to add, rename, or delete files within, not modifying file directly like
# echo testing > file1 
# > file1
 
But vim can modify files. The following is from http://vimdoc.sourceforge.net/htmldoc/editing.html 
*write-readonly*
When the 'cpoptions' option contains 'W', Vim will refuse to overwrite a
readonly file.  When 'W' is not present, ":w!" will overwrite a readonly file,
if the system allows it (the directory must be writable).
 
 
Also, all above actions also require changing or at least reading the inodes of the affected files, 
so search permission is also needed to add/rename/delete files within

Execute: 
This permission means search, grants the ability to traverse its tree in orde to access files/subdirectories. 
It's required to access the "inode" information of the files within.


2. File:
Read: system call read()
You need to get file's inode number to read it.
Only file owner or root user can modify information in the inode such as the owner and group name and permissions.

Write:system call write()  to modify file content

Execute: system call  exec()
If file is a program, you can only need x without r to execute that program, but if the file is a shell script, 
you also must have r permission to execute it. The proper permissions on a script are both read and execute

Example: cat /home/jephe/file1, firstly you need to have read permission for file1 to read the content, then 
you need x permission on / /home /home/jephe to locate inode of file1and thus to read it. 
 
References:

a. Unix File and Directory Permissions and Modes - http://content.hccfl.edu/pollock/AUnix/FilePermissions.htm

b. http://en.wikipedia.org/wiki/Filesystem_permissions