How to Permanently Set Group Ownership on Directories Using chmod g+s (SGID Bit) for New Files


14 views

When dealing with shared directories in Linux systems, the chmod g+s command (which sets the SGID bit) is crucial for maintaining consistent group ownership. Unlike regular permissions, the SGID bit ensures that all new files and directories created within inherit the parent directory's group ownership.

Consider this sample project structure:

project/
├── src/
│   ├── main.c
│   └── utils/
├── docs/
└── build/

To set group ownership AND apply SGID to existing directories:

# First set the group ownership
sudo chown -R :devteam /path/to/project

# Then apply SGID bit recursively
sudo find /path/to/project -type d -exec chmod g+s {} +

After running these commands, check the permissions:

ls -ld project/
drwxr-sr-x 5 user devteam 4096 Jan 15 10:00 project/

The lowercase 's' in the group execute position indicates SGID is active.

Create a new file to verify inheritance:

touch project/newfile.txt
ls -l project/newfile.txt
-rw-r--r-- 1 user devteam 0 Jan 15 10:05 project/newfile.txt
  • SGID only affects new files/directories created after setting the bit
  • Existing files retain their original group ownership
  • The user must belong to the target group for this to work
  • Default umask settings may affect final permissions

For deployment scripts, consider adding:

#!/bin/bash
TARGET_DIR="/var/www/project"
DEPLOY_GROUP="webadmins"

chown -R :${DEPLOY_GROUP} ${TARGET_DIR}
find ${TARGET_DIR} -type d -exec chmod g+s {} +

html

When managing shared directories in Linux, maintaining consistent group ownership across existing files and future additions is crucial. The standard chgrp command only changes current permissions without affecting new items. This is where the g+s (setgid) flag becomes essential.

The chmod g+s command does two important things:

  1. For directories: New files/folders inherit the parent directory's group
  2. For executables: Runs with the group of the file owner

This solves both current and future permission issues in one operation.

Here's how to properly implement this for an entire directory structure:

# First set the group ownership recursively
sudo chgrp -R developers /path/to/project_folder

# Then apply setgid to preserve group inheritance
sudo chmod -R g+s /path/to/project_folder

# Verify the changes
ls -ld /path/to/project_folder
# Should show 's' in group permissions like drwxr-sr-x

Imagine a web server scenario where multiple developers need write access:

# Setup shared workspace
sudo mkdir /var/www/dev-team
sudo groupadd webdev
sudo chown root:webdev /var/www/dev-team
sudo chmod 2775 /var/www/dev-team  # 2 = setgid, 775 = rwxrwxr-x

# Test the setup
sudo -u developer1 touch /var/www/dev-team/test.txt
ls -l /var/www/dev-team/test.txt
# The file automatically gets webdev group ownership

Problem: New files aren't inheriting group ownership.
Solution: Ensure:

  • Parent directory has setgid bit set (check with ls -ld)
  • UMASK isn't overriding (temporary fix: umask 0002)
  • SELinux isn't interfering (restorecon -Rv /path)

For more complex permission scenarios, combine with setfacl:

sudo setfacl -R -d -m g:webdev:rwx /var/www/dev-team
sudo setfacl -R -m g:webdev:rwx /var/www/dev-team

Remember that setgid works differently on files vs directories. For security, avoid using it on sensitive executables. Always test permission changes in a non-production environment first.