home | O'Reilly's CD bookshelfs | FreeBSD | Linux | Cisco | Cisco Exam  


Unix Power ToolsUnix Power ToolsSearch this book

49.5. Group Permissions in a Directory with the setgid Bit

If you work on a Unix system with lots of users, you may be taking advantage of Unix group permissions to let users in one group write to files in a directory, but not let people in other groups write there.

How does Unix determine what group should own the files you create? There are (at least!) two ways:

  1. The effective group ID of the process determines the ownership of the files you create. (Your effective GID is your primary group membership unless you're running a SGID program.)

  2. The group that owns the directory in which you create the file owns files.

The system administrator decides which of the methods a filesystem will use for group ownership. There are other wrinkles, too. A good place to look for the gory details is your system's open manpage help, but it's probably easier to just create an empty new file and then check the group ownership with ls -l or -lg.

You may be able to use the directory's set group ID (setgid) bit to control group ownership. In those cases, if the bit is set, the rule in point 2 applies. If the bit is not set, the rule in point 1 applies. To set and remove the setgid bit, use the commands chmod g+s and chmod g-s, respectively.

> chmod g+s mt.pl
> ls -l mt.pl
-rwxr-sr-x  1 shelleyp  shelleyp  1939 Apr 28 22:55 mt.pl

You can use the chgrp command to change a file's group.

> chgrp wheel mt.pl
> ls -l mt.pl
-rwxr-xr-x  1 shelleyp  wheel  1939 Apr 28 22:55 mt.pl

However, you must own the file, and you must also be a member of the file's new group. If you've reset directory mode bits, it's possible to wind up with ls -l permissions that have an uppercase S, like drwxr-S. What's that? (It's often a mistake.) The directory's setgid bit is set, but the execute bit isn't set. If you want the directory to be group-accessible, add execute permission with chmod g+x. Otherwise, you may want to clear the setgid bit with chmod g-s.

--JP, SP



Library Navigation Links

Copyright © 2003 O'Reilly & Associates. All rights reserved.