Use setgid to allow 2 users to edit all files in a directory

published Dec 19, 2019 12:50   by admin ( last modified Jan 8, 2020 11:23 )

Linux: A setgid on a directory can control with what permissions contained files and directories are created. Let's say you have two users on a development machine, foo and bar. You want user foo to handle the GUI (such as X), git commits, pulls and pushes, but you want user bar to be the one that runs the files. User bar is not used for anything else and it does not matter if user foo can read all bar's files.

This division should give a bit of protection against running malicious code, as long as user bar has nothing worth looking into or executing. Bear in mind though that having shell as a user on the machine may make it easy to escalate, depending on the setup.

Now on a directory inside of user bar's home directory,  ensure the group to be group bar (it probably alread is):

sudo chown bar:bar adirectory

Now set the permissions of the directory to 2770

sudo chmod 2770 adirectory

Now make sure the user foo also has the group bar.

Now files created by user foo or user bar will be editable also by the other user. The extra "2" in the beginning of 2770 is the setgid instruction.

Nota bene that this only works if the users have a generous umask, such as 002. If e.g. user foo has umask 022 then the directories it creates will not be writable by bar. One way around this is to use umask 002 for user foo when working in the directory.