[lug] Permissions: Guard Directories but allow File changes

Lee Woodworth blug-mail at duboulder.com
Tue Feb 3 12:15:28 MST 2009

Gordon Golding wrote:
> I have a big directory tree - too big to play with by hand.
> I have someone (an OTHER person) who I want to be able to change files in every sub-/directory, but I want to protect the directories themselves.
> So I want the directories to be safe:????????? rwxrwxr-x
> But I want the files to be changeable:??????? rwxrwxrw-

Not exactly clear on what you are asking.

If you want commands to set these permissions:

    find /root/path -type d -print0 | xargs -0 chmod 775
    find /root/path -type f -print0 | xargs -0 chmod 666
    find /root/path -type f -name '*.sh' -print0 | xargs -0 chmod +x

    The first command sets the permissions of all the directories to rwxrwxr-x. The -print0
    and -0 options are to handle names with spaces. The second command sets the perms
    on real files (not symlinks) to rw-rw-rw (not setting x on the files - not needed
    unless they are executables). The third command adds executable permissions to
    .sh files

    The result of this is that anyone can modify the files in the directory tree,
    but they can't rename or change permissions on files, or create/delete files
    or directories in the tree.

If what you are asking is what permissions to set to accomplish your goal:

    Create a user group that your account and other other person's account are members of
    do these commands as root:
       groupadd shareddirgrp
       usermod -G<existing groups>,shareddirgrp <youraccount>
       usermod -G<existing groups>,shareddirgrp <otheraccount>
       chgrp -R sharedgrpdir /root/path
    (to see what groups an account is already part of, as root:
       id <youraccount>
       id <otheraccount>)

    Then change the permissions in the commands above to 750, 660, ug+x
    This sets things so that world can't see in the directories or the files, but the
    members of shareddirgrp can read but not modify the dirs, and can modify files in
    the directory tree.

    The other account will need to relogin (should do an id command to verify groups)


More information about the LUG mailing list