Configure a shared folder in linux¶
The goal of this tutorial is to show how to set up a shared folder for all users. Users must be able to access data inside this folder (read write and execute by default) without the owner of the data changing the acl manually.
The command such as
cp, mvconserve the origin ACL of the data, so even the default ACL of the shared folder allows all users to access the data, but if the data is created in another folder and copied in the shared folder, by default the data conserves the origin ACL. As a result, the data may not be accessible
The idea is :
1. create a shared folder called /home/common
2. set default ACL to o::rwx (give others read, write rights.)
3. set up a systemd to auto change ACL, when copy or move data to the shared folder
1. Create the shared folder¶
# the owner and group will be root:root
sudo mkdir /home/common
2. Setup default ACL for the shared folder¶
Run the below command to install the required packages
# install required packages
sudo apt update
sudo apt install inotify-tools acl -y
- acl: offers more options than basic chmod
- inotify-tools: overwatch a folder, when a waiting event happens, it can trigger target actions
Configure default ACL
# by default we grant full access for others. For the owner and group, the origin ACL will be conserved.
sudo setfacl -d -m o::rwx /home/common
After this step, all files and folders created in the shared folder will inherit the default ACL
3. Configure a systemd daemon to auto update ACL¶
3.1 Create the daemon script¶
Create the daemon script in /usr/local/bin
# choose your favorite editor
sudo vim /usr/local/bin/update_acl.sh
Copy the below script in the file
#!/bin/bash
# the dir which the daemon will watch
WATCH_DIR="/home/common"
# the ACL will be enforced by the daemon
ACL_PERMISSIONS="o::rwx"
inotifywait -m -r -e close_write,moved_to,create "$WATCH_DIR" --format "%w%f" |
while read NEWITEM; do
# check if the new coming item is a directory or a file
if [ -d "$NEWITEM" ]; then
echo "Fixing ACL for new directory: $NEWITEM"
# -R means recursively update the ACL of the new directory.
setfacl -R -m "$ACL_PERMISSIONS" "$NEWITEM"
# -d sets default ACL so future files in the new directory inherit correct permissions.
setfacl -d -m "$ACL_PERMISSIONS" "$NEWITEM"
else
echo "Fixing ACL for new file: $NEWITEM"
setfacl -m "$ACL_PERMISSIONS" "$NEWITEM"
fi
done
make the script executable
sudo chmod +x /usr/local/bin/update_acl.sh
3.2 Create the systemd daemon launcher for update_acl.sh¶
The systemd daemon launcher must be located at /etc/systemd/system/. By convention, we name it as update_acl.service
Open the file with your favorite editor
sudo vim /etc/systemd/system/update_acl.service
Copy the below lines in the file
[Unit]
Description=Update ACLs for date copied to shared directory
After=network.target
[Service]
ExecStart=/usr/local/bin/update_acl.sh
Restart=always
User=root
[Install]
WantedBy=multi-user.target
3.3 Enable the systemd daemon¶
# reload the daemon list from the repository
sudo systemctl daemon-reload
# enable the service for startup
sudo systemctl enable update_acl.service
# start the service
sudo systemctl start update_acl.service
# check the satus
sudo systemctl status update_acl.service
# stop the service
sudo systemctl stop update_acl.service
4. Test the solution¶
After the above steps, you need to login to the server with two different users: - user1 - user2
user1 actions
# create a file in his home
touch ~/test1.txt
# set the acl to owner only,
chmod 0700 ~/test.txt
# copy the file to the /home/common
cp ~/test.txt /home/common
# create a file directly in the shared folder
cd /home/common
# create a file
touch test2.txt
user2 actions
# go to the share folder
cd /home/common
# list the existing files
ls -lah
# show the content of test1 and test2
cat test1.txt
cat test2.txt
If user2 can show the content, it means the daemon works well. If user2 see permission deny, it means something went wrong.
Call admin linux