How do groups work for controlling access.

theen · May 28, 2017

So, scenario for demonstrative purposes:

I have a program that downloads files off the internet (sabnzbd), and a second and third (couchpotato and sonarr, if you're interested) that also need to interact with the files it downloads.

For security I've set each program to run under its own account. I come from a Windows background so that makes sense to me. Is that how I should be doing it?

Now, I don't want to grant access to 'other' because then anyone can access these files. But my understanding is that for each file if the owner or group is set to its own group, or a group it's a member of then it should hold all access rights of that group, but this isn't happening.

e.g. sabnzbd is a member of couchpotato and sonarr, but if the permissions for the file are sonarr:sonarr (770) and sabnzbd tries to amend the file I get a permissions error.

Can someone 1) please address my misunderstand of how groups work, and / or point me to some guide/documentation, 2) tell me how I best implement security if what I'm trying is not correct.

note: Even if groups did work as I'd expected them to this would undermine the point of having groups since they would all have equivalent access. Is that right?

I've read about ACL but I'd prefer not to mess around with that that if its not necessary

Windows7ge · May 28, 2017

I'm not sure this explanation of my understanding will help but running a FreeNAS file server:

Let's say we have 3 users, jenn, gary, & sara. All of then are members of the user group.

Jenn wants the files in her folders to be private so she sets the folder permissions as 700 (rwx------) so only she can read/write/execute files in that folder.

If gary or sara try to access that folder it will say permission denied. If sara sets the permissions to 740 (rwxr-----) gary & sara will be able to enter the folder and view the contents but they wont be able to alter or manipulate files in the directory if permissions are set recursively (don't quote me on this I'm probably saying something wrong but I'm pretty sure I'm on the right track.)

The group permissions allows certain privileges to be applied to users which allows or denies access to files and folders of a different user in the same group.

When someone is a member of more than one group I'm not entirely sure how permissions work but I believe one group is selected as the primary and that primary group's permissions overtake the permissions of secondary or tertiary groups.

theen · May 29, 2017

19 hours ago, Windows7ge said:

... permissions are set recursively (don't quote me on this I'm probably saying something wrong but I'm pretty sure I'm on the right track.)

When someone is a member of more than one group I'm not entirely sure how permissions work but I believe one group is selected as the primary and that primary group's permissions overtake the permissions of secondary or tertiary groups.

There's more to it than that. There's umasks and stickybits etc. Thanks for responding, but I still help...