On Linux systems, standard group permissions don't automatically grant members the ability to modify file permissions - even when they have write access. This creates a specific challenge when you need a group (like ftpusers) to manage permissions within a directory tree.
Unlike BSD's chmod +a command, Linux uses a different permission model. The key is combining these elements:
1. Directory ownership (chown) 2. Special permission bits (chmod g+s) 3. Umask settings
Here's the complete solution for Debian/GNU Linux:
# 1. Set directory ownership sudo chown -R :ftpusers /path/to/directory # 2. Set SGID bit to maintain group ownership sudo chmod -R g+s /path/to/directory # 3. Set ACL for permission modification sudo setfacl -R -m g:ftpusers:rwx /path/to/directory sudo setfacl -dR -m g:ftpusers:rwx /path/to/directory # 4. Verify the setup getfacl /path/to/directory
For more granular control (kernel 2.6.24+):
# Grant CAP_FOWNER capability to specific binaries sudo setcap cap_fowner+ep /usr/bin/chmod
Always:
- Restrict access to necessary directories only
- Monitor permission changes with auditd
- Consider using filesystem quotas
# Check effective permissions namei -l /path/to/file # Verify group membership groups ftpuser1 # Check SELinux context ls -Z /path/to/directory
When administering Linux servers, particularly in web hosting environments, we often need to delegate permission management capabilities to specific user groups. The scenario where members of the 'ftpusers' group need to modify permissions within a designated directory is common yet requires careful implementation.
Unlike BSD's ACL system (which uses +a flags), Linux provides several approaches for granular permission control:
1. Traditional UNIX permissions (owner/group/others) 2. POSIX ACLs (Access Control Lists) 3. Special permission bits (setuid/setgid/sticky bit)
For Debian/GNU systems, we'll combine two methods to achieve the desired functionality:
1. Setting the Directory Structure
First, ensure proper ownership and permissions on the parent directory:
sudo chown -R :ftpusers /path/to/ftp_root sudo chmod -R 2770 /path/to/ftp_root # Note the setgid bit (2)
The 2770 permission breaks down as:
2: setgid bit ensures new files inherit group ownership7: owner gets rwx7: group gets rwx0: others get no permissions
2. Enabling Permission Modification Capability
To allow group members to change permissions, we'll use POSIX ACLs:
sudo apt install acl # Install ACL utilities if not present sudo setfacl -Rm g:ftpusers:rwx /path/to/ftp_root sudo setfacl -Rdm g:ftpusers:rwx /path/to/ftp_root
The -d flag sets default ACLs for new files/directories.
Create a test environment to verify the configuration:
# As admin: sudo mkdir -p /path/to/ftp_root/testdir sudo touch /path/to/ftp_root/testfile # As ftpuser: su ftpuser cd /path/to/ftp_root chmod 755 testfile # Should succeed ls -la testfile # Verify permissions changed
For production environments, consider these additional measures:
- Implement filesystem quotas
- Set up audit logging with
auditd - Consider using
chattr +ifor critical files - Review SELinux/AppArmor policies if enabled
If permission changes still fail, check:
# Verify group membership groups ftpuser # Check effective permissions getfacl /path/to/ftp_root # Ensure no conflicting SELinux contexts ls -Z /path/to/ftp_root