Managing User Permissions on Unix

I am basically posting this here as a reference for myself, but I’m sure the information will be helpful to other people out there, as well.

Occasionally, when working on my Web server, I need to create a new user on the server and grant one or more other users permission to view and edit files within the new user’s home directory. This task, in itself, does not seem all that difficult on the surface. However, because most Unix servers are set up (and rightfully so, for security purposes) not to allow most users to navigate outside of their own home directories, it becomes a problem.

Let’s say, for example, that you have two users on your Web server that you want to allow permissions to view and edit each other’s home directories, but you don’t want them to have access to any other files and folders on the Web server.

For purposes of this example, let’s call them user1 and user2.

You create user1 on your Web server. In the administration control panel of my hosting package, when new unix users are created, they are automatically added as new users for all of the other modules (FTP, usermail, etc.), home directories are automatically created for them and a new group is automatically created for the user. With the possible exception of automatically adding them to the other modules, I believe most unix boxes are set up this way.

Therefore, now that you’ve added “user1” to your box, you now have a new folder located at /home/user1, you have a new group called “user1” and user1 is now allowed to FTP into his home directory. However, provided your FTP and SSH servers are set up properly, that user cannot navigate outside of the /home/user1 directory.

Now, you create “user2” on your unix box. Once that’s completed, you now have a directory located at /home/user2, you have a new group called “user2” and user2 now has FTP permissions to navigate only within the /home/user2 directory.

Already, you can probably see the problem. Because user1 cannot go any higher in the directory structure than /home/user1, that obviously means he cannot navigate into /home/user2.

In order to solve that problem, we have to take a few simple steps.

First, we need to open a shell. In the case of a remote Web server, you would do so using an SSH connection. However, if this is a local machine, you can do so fairly easily by simply opening the terminal.

The first thing you want to do is “su” (switch user) as root. You do that simply by typing:

# su root

Then, enter the password for the root user when prompted.

Now, within the shell, you are performing all actions as the root user (be careful doing this, and make sure to exit the root account when you are finished).

The next step is to create new directories for each user. Within /home/user1, you should create a directory for user2. It could be something as simple as /home/user1/user2files. You would do that in the following way:

# mkdir /home/user1/user2files

Now, do the same for user2:

# mkdir /home/user2/user1files

The next step is to mount each user’s home directories as virtual directories for the other users. You do that by typing the following commands:

# mount --bind /home/user1/ /home/user2/user1files
# mount --bind /home/user2/ /home/user1/user2files

What you’ve done by typing those two commands is the following: You have now set up the Unix file system to look inside of /home/user1 whenever someone navigates into /home/user2/user1files. Essentially, /home/user2/user1files is now simply an alias of /home/user1. The second command did the same basic thing, except that it aliased /home/user2 as /home/user1/user2files.

The next step is to make sure your users will have the appropriate permissions. There are two things you need to do. First, you need to add user1 as a member of the “user2” group, and vice versa. Within my administration area, I did this by simply editing each group and adding the appropriate members.

Finally, make sure that the directories are set up to allow group members to manipulate the files. By default, most Web servers will automatically assign the permissions to new files as 664. That means that the original user that generated the file has read and write permissions on the file, and so does the group to which that user belongs.

That’s great, but it causes one minor problem. If user1 adds a new file to /home/user1/user2files, the user and group will both be set to “user1”. If we decided not to add user2 as a member of the “user1” group, then user2 won’t have any permissions over those files.

That’s a fairly easy fix, however. To accomplish this, you need to set the GID for the /home/user2 directory. Setting the GID basically means that any files added to that directory will automatically inherit the group that owns the directory, no matter which groups the file’s creator belongs to.

Within my administration panel, I did this by simply navigating to the folder within the File Manager, then using the “Info” button to set the GID. On most *nix boxes, you can do this by right-clicking on the folder itself and selecting “Properties” (I believe).

Now, no matter what files are added to /home/user1/user2files (or /home/user2, since /home/user1/user2files simply points to /home/user2) and no matter who adds them, the group will always be set to “user2”.

While you are editing the properties of that directory, you need to make sure that “Sticky” is not enabled. If “Sticky” is enabled, only the file’s owner will have permission to remove the files. Group members will not be able to delete the file.

Finally, you need to edit your fstab configuration file to finish mounting the virtual directories you created. To do that, open the shell and su as root, again. Type the following command:

# vi /etc/fstab

That will open a program called “vi” (or Visual Editor). I found a good link with instructions explaining how to use vi. Once you’ve opened fstab in vi, you need to add a line for each folder you mounted. The lines should look like:

/home/user2  /home/user1/user2files none bind 0 0

If you don’t add the mount commands to the fstab file, then the changes you made will all be lost whenever the server is restarted. The format of that line should be (items highlighted in red are the only things you should change):

/real/directory /virtual/directory none bind 0 0

Once you complete all of those steps, both of your users should be able to work within each other’s home directories without you having to grant them access to other files and folders on the computer.

One Response

  • mahesh

    looks good lesson. thanks for your post.
    FTP user needs the directory permission. how can we do that