Skip to main content

Using Octal Permissions to Set up a Collaboration Area

Hands-On Lab

 

Photo of Rob Marti

Rob Marti

Linux Training Architect I in Content

Length

00:15:00

Difficulty

Beginner

In a multi-user environment like Linux, there will come a need to have a specific area set aside for different uses to collaborate. This lab will walk through the process and make sure you understand how different permissions can work together.

What are Hands-On Labs?

Hands-On Labs are scenario-based learning environments where learners can practice without consequences. Don't compromise a system or waste money on expensive downloads. Practice real-world skills without the real-world risk, no assembly required.

Using Octal Permissions to Set up a Collaboration Area

Introduction

In a multi-user environment like Linux, there will come a need to have a specific area set aside for different uses to collaborate. This lab will walk through the process and make sure you understand how different permissions can work together.

The Scenario

Adam, Bob, and Sally are managers that all have access to our server. They need a directory that all of them can access and read and write files into. Bob has created a directory named /opt/collab for them to use, but isn't sure how to give Adam and Sally permission without also giving Will (not a manager) permission. We've been tasked with setting up this area and ensuring that files written in there can be read by all the users.

Logging In

Use the credentials provided on the hands-on lab overview page, and log in as cloud_user.

Ensure /opt/collab Can Be Accessed by the Other Managers but Not Will

The first thing we need to do is make sure Bob, Adam, and Sally are all members of the same group. This will allow us to use octal permissions on the group section to allow access.

If we run id bob, id adam, and id sally, we'll see that they're all members of the managers group.

Now let's become Bob for a bit:

[cloud_user@Server1 ]$ sudo su - bob

We can change the ownership of this directory, and then check:

[bob@Server1 ]$ chown bob.managers /opt/collab
[bob@Server1 ]$ ls -ld /opt/collab

Now the group that owns it is managers. Let's change permissions and lock it down to just Bob and the managers group, then check our work again:

[bob@Server1 ]$ chmod 770 /opt/collab
[bob@Server1 ]$ ls -ld /opt/collab

Ensure Files Written Can Be Read by All Users

Were going to become each of the users, bob, adam, and sally, and touch a file in /opt/collab. Then we'll try and cat all of those files as each user.

We're already bob, so just run this and exit from Bob's shell:

[bob@Server1 ]$ touch /opt/collab/bob
[bob@Server1 ]$ exit

Now become the adam user, and repeat:

[cloud_user@Server1 ]$ sudo su - adam
[adam@Server1 ]$ touch /opt/collab/adam
[adam@Server1 ]$ exit

And finally, do it all again as sally:

[cloud_user@Server1 ]$ sudo su - sally
[sally@Server1 ]$ touch /opt/collab/sally

Now let's try to read those files. We're still sally here:

[sally@Server1 ]$ cat /opt/collab/*

We got an error about the adam file. Let's look at why.

[sally@Server1 ]$ ls -l /opt/collab

We can see the permissions on adam's file are 600, so his user can access the file but the other managers can't. His umask is off. Let's become adam:

[sally@Server1 ]$ exit
[cloud_user@Server1 ]$ sudo su - adam

The umask is set in ~/.bash_profile, so we've got to edit that:

[adam@Server1 ]$ vim .bash_profile

Delete the line that says this:

umask 066

Log out of the adam account, then back in:

[adam@Server1 ]$ exit
[cloud_user@Server1 ]$ sudo su - adam

If we run a quick umask command, we'll see that it's 0002. Now let's delete and recreate the adam file:

[adam@Server1 ]$ rm /opt/collab/adam
[adam@Server1 ]$ touch /opt/collab/adam

Now we've got to run our cat test again, but as everyone:

[adam@Server1 ]$ cat /opt/collab/*
[adam@Server1 ]$ exit
[cloud_user@Server1 ]$ sudo su - sally
[sally@Server1 ]$ cat /opt/collab/*
[sally@Server1 ]$ exit
[cloud_user@Server1 ]$ sudo su - bob
[bob@Server1 ]$ cat /opt/collab/*

Conclusion

We're done. Everybody in the managers group, and only everybody in the managers group, can read everything in /opt/collab. Congratulations!