SSH: Allowing multiple users to edit the same files and directories (shared folders)

Often multiple users will need to have access to edit, delete and create files and folders on a server. To illustrate this we will use the example of two users who need access to the same files on a Web server.

/var/www/website is the directory both users need access to. bob and liz are the users that require access.

Note: these commands need to be run as the root user, either by running su at the command line, followed by the root password or by typing sudo before each command.

Start by creating the shared directory. Copy and paste the following to the command line:

mkdir -p /var/www/website

Create a user group that will have access to the directory created earlier. Copy and paste the following to the command line (do the same with all the following commands):

groupadd webadmin

Create the users (skip this if you have already created them):

useradd -mG webadmin --shell /bin/bash bob
passwd bob

This also adds the user to the webadmin group. Now add the liz user:

useradd -mG webadmin --shell /bin/bash liz
passwd liz

Change the permissions of the directory. The first command below makes webadmin the directory’s group, the second allows the webadmin group to add, edit and delete files, while the third command ensures new files and directories are created with the webadmin group.

chgrp -R webadmin /var/www/website
chmod 775 /var/www/website
chmod -R g+s /var/www/website

This grants enough access that bob and liz may create files and directories in the shared area. They may also edit and delete, but only files and directories created by them.

Editing and deletion of files and directories created by other users

This part of the article has security implications, but it is possible to check whether the server setup makes it safe to proceed; copy and paste the following to the command line:

id -gn bob

This should output: bob, which is the user’s primary group. If the primary group is the same as the user’s name it is safe to proceed. If it is not the same, check with your distribution’s documentation and support (forums, mailing lists, IRC, etc.)

So far this article has covered a shared directory where users can only create and edit their own files, usually a shared directory means users are able to delete and edit any file or directory.

umask changes the default permissions of new files and directories, this makes the directory shared since every new file and directory will be group writable. Change the umask:

echo "session optional umask=002" >> /etc/pam.d/common-session

umask=002 means new directories will be created with 775 and files with 664 permissions (that is, the file’s owner and group have read/write/execute, others have only read, permissions).

Unfortunately there are many places where the umask may already be set, the following command checks them and deletes any lines starting with umask:

ls {/etc/{profile,login.defs,bashrc},/home/{bob,liz}/{.profile,.bash*},/etc/skel/*} | xargs -I '{}' sed -i '/^umask/Id' {}

When running this command, errors like: ls: cannot access /etc/bashrc: No such file or directory can be ignored. The various GNU/Linux flavours have different settings files and this command is meant to work with as many of them as possible.

Ubuntu — and other sudo — users

Putting sudo in front of the previous two commands will fail, if you run Ubuntu (or another GNU/Linux flavour that uses sudo) run them as follows:

sudo sh -c 'echo "session optional umask=002" >> /etc/pam.d/common-session'
ls {/etc/{profile,login.defs,bashrc},/home/{bob,liz}/{.profile,.bash*},/etc/skel/*} | xargs -I '{}' sudo sed -i '/^umask/Id' {}

Test the shared directory

Log in as bob, then copy and paste the following to the command line:

cd /var/www/website
touch testfile
ls -lah

This should produce output similar to the following:

bob@server:/var/www/website$ ls -lah
total 8.0K
drwxrwsr-x 2 root webadmin 4.0K 2010-11-15 15:35 .
drwxr-xr-x 3 root root     4.0K 2010-11-07 21:28 ..
-rw-rw-r-- 1 bob  webadmin    0 2010-11-15 15:35 testfile

Notice the permissions on testfile: -rw-rw-r-- 1 bob webadmin, it is group writable and the file’s group is webadmin, meaning liz — or anyone else in the group — is allowed to edit or delete it.


About the Author

Liam McDermott is the technical bod at The Webmaster Forums. He also writes articles and loves dallying with Drupal. His business site is InterMedia.