This is one of the major limitations of the standard Unix file permissions system. The only way I know of to achieve this using just one directory is to use ACLs (access control lists, see
man getfacl/
setfacl), but unfortunately these are not supported by all filesystems, or by all OS's and/or utilities... e.g. some backup software will not back them up.
This is unfortunate because they are very useful for some other things, such as setting default permissions on files and subdirectories created in the directory.
One other option you have is to use a structure like this:
Code:
drwxr-x--- user1 group2 topdir
drwxrwsr-x user1 group1 subdir
-rw-r--r-- user1 group1 files
Then ensure that all members in group1 are also in group2 (but not the reverse, i.e. group2 is a superset of group1). That way a user in group2 can descend to the
/topdir/subdir directory, wherein they effectively have read-only rights by virtue of the "other" attributes. Users in group1 can descend into that directory too because they are also members of group2, and can modify the files because of their group write access. Users in neither group can't even enter the
/topdir so they can't access the files at all.
You'll notice I have set the setgid bit on the subdir - this ensures all files in that directory are created with group1 ownership. You may also need to consider setting appropriate umasks for the process(es) that create files in this directory so that they are created as 664 instead of 644, i.e. umask
002.
More UNIX and Linux Forum Topics You Might Find Helpful
Powered by 
01-07-2009
Hybrid Mode
