When migrating from a legacy system where shared files lived under a single user's /home directory to a modern group-based permission model, we need to rethink the storage architecture. The traditional approach of using a shared user account creates permission complications and violates the principle of least privilege.
The Filesystem Hierarchy Standard (FHS) provides several appropriate locations:
/srv/team_name/scripts # For service-related scripts
/opt/shared_resources # For add-on application packages
/usr/local/shared # For locally installed software
/var/lib/shared_data # For variable state informationHere's how to properly set up a shared directory with group permissions:
# Create directory structure
sudo mkdir -p /srv/dev_team/{scripts,data}
sudo chown -R root:dev_team /srv/dev_team
sudo chmod -R 2775 /srv/dev_team # SETGID bit preserves group ownership
# Verify the setup
ls -ld /srv/dev_team
# drwxrwsr-x 3 root dev_team 4096 Aug 1 10:00 /srv/dev_teamFor more granular control, consider using Access Control Lists (ACLs):
# Grant specific users write access
setfacl -Rm u:jane:rwX /srv/dev_team/scripts
setfacl -Rm g:qa_team:rX /srv/dev_team/data
# Verify ACL settings
getfacl /srv/dev_team/scriptsFor network-shared environments, configure automount in /etc/auto.master:
/srv/shared /etc/auto.shared --timeout=300Then in /etc/auto.shared:
dev_scripts -fstype=nfs,rw,hard,intr fileserver:/export/shared/scriptsWhen transitioning from a single-shared-user model to proper multi-user collaboration in Linux, file placement becomes crucial. The traditional approach of using /home/shareduser creates permission headaches and doesn't scale well with proper user separation.
The Filesystem Hierarchy Standard (FHS) provides several appropriate locations:
- /srv - Designated for service-specific data (best for production)
- /usr/local - For locally installed software and shared scripts
- /opt - Optional application packages
- /var - Variable data (good for frequently modified files)
Here's how to properly set up a shared directory in /srv:
# Create directory structure
sudo mkdir -p /srv/team_scripts/{bin,data,config}
sudo chown -R root:devteam /srv/team_scripts
sudo chmod -R 2775 /srv/team_scripts # SETGID bit preserves group
# Add users to the group
sudo usermod -aG devteam user1
sudo usermod -aG devteam user2
# Verify permissions
ls -ld /srv/team_scripts
# drwxrwsr-x 3 root devteam 4096 Jul 10 15:30 /srv/team_scripts
For environments needing strict ownership control:
# Create system user without login sudo useradd -r -s /usr/sbin/nologin -d /srv/shared_files shareduser sudo mkdir /srv/shared_files sudo chown shareduser:devteam /srv/shared_files sudo chmod 2770 /srv/shared_files # Configure sudo for group administration echo "%devteam ALL=(shareduser) NOPASSWD: /usr/bin/rsync, /usr/bin/cp" >> /etc/sudoers
Key considerations for secure collaboration:
# Set default umask for the group (add to /etc/profile) umask 0002 # Creates files with 664 (rw-rw-r--) by default # Enable ACLs for fine-grained control sudo setfacl -Rm g:devteam:rwx /srv/project_x sudo setfacl -Rm d:g:devteam:rwx /srv/project_x # Default ACLs
For network-shared environments, configure /etc/fstab with proper options:
# Example NFS mount with group preservation server:/shared/projects /mnt/projects nfs rw,hard,intr,nodev,nosuid,grpid 0 0
Ensure your backup system respects group ownership:
# Sample rsync command preserving groups rsync -aHAX --chmod=D2775,F664 /srv/shared/ backup-server:/backups/