I am setting up a file server with a shared directory. Inside, there are per-user folders that are readable by any user and a shared directory that is readable and writeable by any user. The per-user folders are simple enough. However, I am having some issues with the shared folder. I performed the standard procedure for making a set GID folder: # chown root shared # chmod -R ug+rwX shared # chgrp -R users shared # find shared -type d -exec chmod g+s "{}" \; # find shared -type d -exec setfacl -m "default:group::rwx" "{}" \; After ensuring all users are in the 'users' group, this works perfectly via direct console login, ssh, rsync, etc. However, there are some issues with samba. With the default samba config, the SGID bit and GID are propagated, but new files and folders do not have the group write bit set. This appears to be because the ACL is being ignored. According to Samba Ignoring POSIX ACLs , the solution is to add vfs objects = acl_xattr to smb.conf. When I set that, the group write permission is correctly set. However, the group is then set to the user's primary group instead of the group of the parent directory, which rather defeats the purpose of the set GID bit. I tried the other smb.conf adjustments noted in the link (map acl inherit = yes, store dos attributes = yes, and inherit acls = yes), but these had no effect. What's the proper way to make this work?

I'm trying to uncompress a file using

gunzip GCF_000746645.1_ASM74664v1_genomic.fna.gz

... but I get the following error:

gzip: GCF_000746645.1_ASM74664v1_genomic.fna.gz is set-group-ID on execution - ignored

I've learned that "set-group-ID on execution" refers to something related to permissions on the server, but I'm not entirely sure how so and what I should do.

I have structure like:

/home/reed/, user=reed, group=reed
  - apache-conf, user=reed, group=reed
  - apache-web, user=reed, group=apache, perm=0770
      - www.website.com, user=reed, group=apache, perm=0770
          - index.php, user=reed, group=apache, perm=0660

I'm using umask 007 in /etc/profile so my directories & files are created with these same permissions. & that worked. I ran chmod g+s /home/reed/apache-web; and chmod g+s /home/reed/apache-web/www.website.com so new directories will keep the group=apache So I mkdir /home/reed/apache-web/test/, then ls -la ... & it shows reed is both the user & the group. I tried using chmod 4770 /home/reed/apache-web/test/, but mkdir still sets both user & group to reed (or root if I'm running with sudo) I tried it in the www.website.com dir as well with the same results. I'm on Debian 10 with root access available. I also tried switching to user=apache & group=reed, then using chmod u+s thedir, but again, mkdir makes both the user & the group the current shell user. I also tried logging out & logging back in

I'm trying to copy a folder (SRC) containing some files and subfolders. The content and SRC itself have setgid bit enabled (that is the s in place of the x in the group triplet). Furthermore, the group of the whole content is srcgrp while the files have different owners (let's say me, she and they). Now, I want to copy all the folder (SRC included) into another folder (let's say /mnt/d/SRC to /home/dog/data/SRC). The problem is as follows: when I prompt cp -Rp /mnt/d/SRC /home/dog/data/SRC the folder is being copied in /home/dog/data/SRC but the owner of all the contents become me, even if I give chmod g-s /home/dog/data previously. I'd like to keep the owners of source files. How could I get it? Thank you.

I try to set for NEW created files/directories in /home/test: 1) group to "test" 2) right to "770" This works for the group (1). chown :test /home/test chmod g+s /home/test But I do not get it for the rights (2). I want to set this behaviour to the directory /home/test and not to a user-setting (umask).

I have searched over on multiple SE sites, though there doesn't seem to be an answer to this question. Using setgid bit, it allows to retain parent group and sticky bit for ownership, though this doesn't help with permissions. ACL on the other hand sets same permissions for both files and directories created within a given shared directory. Assume a shared dir (/path/to/shared) with permissions 3775 and ownership root:shared-group. How do I set default permissions on this shared dir, such that newly created files have permissions set to 644, whereas newly created directories have permissions set to 775? In a nutshell, newly created files should be group readable but directories be group writable. Using ACL with group permissions set to rwX makes even files group writable. There are answers that are similar, but not quite; (https://unix.stackexchange.com/questions/98712/acl-defaults-files-vs-directories , https://unix.stackexchange.com/questions/115631/getting-new-files-to-inherit-group-permissions-on-linux , https://stackoverflow.com/questions/580584/setting-default-permissions-for-newly-created-files-and-sub-directories-under-a , https://unix.stackexchange.com/questions/71743/using-setfacl-to-allow-group-members-to-write-to-any-file-in-a-directory ) Is this even feasible?

I have a directory test with the owner user:group and 770 as permissions. I want, that every directory and file within test do have the same specifications. I tried chmod g+s,u+s test, which partially worked: directories within that folder do inherit the ownership and permissions, but files only the owners, not the permissions. I also tried chmod g+t test, which was a total failure. How can i achieve the desired result? Edit: the administrator does not allow to install ACL and umask does dont work, since the files won't be generates from a CLI

I'm struggling to determine what is going on here. Podman running in user space was running fine, but the server took a hard reboot and now it is... for lack of a more accurate technical assessment, borked.

[grant@patches2 patches]$     podman build       --tag local/patches-python:latest       --squash-all       -f ${SCRIPT_DIR}/python_container/Dockerfile.python       --build-arg "PYTHON_CONTAINER_DIR=podman-build/python_container"       ${TOP_DIR}
[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists...
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/subuid
root:200000:1001
grant:200000:1001
[grant@patches2 patches]$ cat /etc/subgid
root:200000:1001
grant:200000:1001
[grant@patches2 patches]$ podman system migrate
[grant@patches2 patches]$     podman build       --tag local/patches-python:latest       --squash-all       -f ${SCRIPT_DIR}/python_container/Dockerfile.python       --build-arg "PYTHON_CONTAINER_DIR=podman-build/python_container"       ${TOP_DIR}
[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
Reading package lists...
E: setgroups 65534 failed - setgroups (22: Invalid argument)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (22: Invalid argument)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/group | grep 65534
nobody:x:65534:

I'm a bit at a loss as to where to go with this one as it's not at all clear to me what the problem is. Here is the dockerfile in question:

FROM python:3.12.0b4-slim-bookworm AS builder

ARG PYTHON_CONTAINER_DIR

WORKDIR /app

# Install build essentials for compiling C code
RUN apt-get update && apt-get install -y build-essential libffi-dev
RUN pip install --upgrade pip

# Copy files to the working directory
COPY ${PYTHON_CONTAINER_DIR}/requirements.txt .
RUN pip install --no-cache-dir -r requirements.txt

# Production stage
FROM python:3.12.0b4-slim-bookworm

ARG PYTHON_CONTAINER_DIR

WORKDIR /app

# Copy files from the build stage
COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/python3.12/site-packages/
COPY ${PYTHON_CONTAINER_DIR}/generate_certificates.py .
COPY ${PYTHON_CONTAINER_DIR}/generate_certificates_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/configure_nginx.py .
COPY ${PYTHON_CONTAINER_DIR}/configure_nginx_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/import_keys.py .
COPY ${PYTHON_CONTAINER_DIR}/import_keys_entrypoint.sh .
COPY ${PYTHON_CONTAINER_DIR}/helper_functions.py .

RUN chmod +x ./generate_certificates_entrypoint.sh
RUN chmod +x ./configure_nginx_entrypoint.sh
RUN chmod +x ./import_keys_entrypoint.sh

This seems like it might be a bug internal to podman? I'm not quite sure what to look at here. ## Updated subuid/subgid

[1/2] STEP 1/7: FROM python:3.12.0a7-slim-bullseye AS builder
[1/2] STEP 2/7: ARG PYTHON_CONTAINER_DIR
[1/2] STEP 3/7: WORKDIR /app
[1/2] STEP 4/7: RUN apt-get update && apt-get install -y build-essential libffi-dev
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
rm: cannot remove '/var/cache/apt/archives/partial/*.deb': Permission denied
Reading package lists...
W: chown to _apt:root of directory /var/lib/apt/lists/partial failed - SetupAPTPartialDirectory (22: Invalid argument)
W: chown to _apt:root of directory /var/lib/apt/lists/auxfiles failed - SetupAPTPartialDirectory (22: Invalid argument)
E: setgroups 65534 failed - setgroups (1: Operation not permitted)
E: setegid 65534 failed - setegid (22: Invalid argument)
E: seteuid 100 failed - seteuid (22: Invalid argument)
E: setgroups 0 failed - setgroups (1: Operation not permitted)
E: Method gave invalid 400 URI Failure message: Failed to setgroups - setgroups (1: Operation not permitted)
E: Method http has died unexpectedly!
E: Sub-process http returned an error code (112)
Error: building at STEP "RUN apt-get update && apt-get install -y build-essential libffi-dev": while running runtime: exit status 100
[grant@patches2 patches]$ cat /etc/subuid
root:200000:1001
grant:200000:65536
[grant@patches2 patches]$ cat /etc/subgid
root:200000:1001
grant:200000:65536
[grant@patches2 patches]$

I am learning about UNIX file permissions and I saw that on my Ubuntu system, /var/mail has the setgid bit set. Why is this?

$ ls /var/mail/ -dl
drwxrwsr-x 2 root mail 4096 Feb  23 05:57 /var/mail/

This book I'm reading says: > Setgid is useful when you have groups of users who need to share a lot of files. > Having them work from a common directory with the setgid attribute > means that correct group ownership will be automatically set for new > files, even if the people in the group don’t share the same primary > group. That description doesn't sound like anything useful for /var/mail since users don't directly manipulate that directory. The files created in /var/mail end up with the group owner "mail", but doesn't this already happen? Only "mail" can create new files in the directory (and root). The only useful case I can think of is when a sysadmin adds a new mail account with sudo touch /var/mail/. That file would still have the "mail" group owner.

Processes which *de-escalate* privileges via setuid() and setgid() do not seem to inherit the group memberships of the uid/gid they set. I have a server process that must be executed as root in order to open a privileged port; after that it de-escalates to a specific non-privilleged uid/gid,1 -- e.g., that of user foo (UID 73). User foo is a member of group bar: > cat /etc/group | grep bar bar:x:54:foo Hence if I login as foo, I can read a file /test.txt with these characteristics: > ls -l /test.txt -rw-r----- 1 root bar 10 Mar 8 16:22 /test.txt However, the following C program (compile std=gnu99), when run root: #include #include #include int main (void) { setgid(73); setuid(73); int fd = open("/test.txt", O_RDONLY); fprintf(stderr,"%d\n", fd); return 0; } Always reports **Permission denied**. I imagine this has to do with it being a non-login process, but it kind of hamstrings the way permissions are supposed to work. _______ 1. Which is often SOP for servers, and I think there must be a way around this as I found a report of someone doing it with apache -- apache has been added to the audio group and can apparently then use the sound system. Of course, this likely happens in a fork and not the original process, but in fact the case is the same in my context (it's a child process forked subsequent to the setuid call).

I've set the SUID & SGID bit on a folder belonging to user *foo* with sudo chmod g+s myfolder & sudo chmod u+s myfolder drwsr-sr-x 24 foo www-data 4,0K Okt 25 16:17 myfolder Then I went inside and created a folder with sudo mkdir xyz, but the user of the folder gets overwritten with root while the group was protected successfully. drwxr-sr-x 2 root www-data 4,0K Okt 25 16:24 xyz I expect the user to be protected, it should stay at foo after executing sudo mkdir xyz. What have I missed?

I have a group of developers who want to share the same directory. I created a new group with these developers and created a directory for them. On that directory, I set the group to the group I created and set the setgid bit. And that all works great... files and directories that are *created* inside this shared directory have the right permissions. But the developers use an application that is doing something that results in unexpected permissions. Instead of files and directories being created with the group of the shared directory, they have the group of the user. And on directories, the setgid bit isn't set. My *guess* as to what is happening is the application is creating a directory hierarchy someplace else (such as /tmp) and when it's done, it's *moving* that to the shared directory. If it isn't that it's something like that. My solution so far is to manually adjust the permissions; I search for files and directories that don't have the right permissions with *find* and then pipe that list into *xargs*. And since this is a constant problem, I'll probably use *super* to give the developers a way to fix up the permissions themselves. Is there a better solution?

My [CGI executable starts as expected](https://askubuntu.com/questions/547414/running-binary-cgi-on-apache2/1421670#1421670) . At some point, though, it tries to become root (and then yet a different user). At that point, the CGI fails. Here is the pertinent code snippet: [...] int const pid(fork()); if(pid == 0) { if(setgid(0) == -1) // <-- this fails. { std::cerr << "error: cannot become the \"root\" group.\n"; exit(0); } [...] I was thinking it could have something to do with the systemd [NoNewPrivileges](https://www.freedesktop.org/software/systemd/man/systemd.exec.html) parameter. That parameter is set to false by default and it does not appear in the Apache2 .service file. So I'm wondering what I could try next to make it all work. Here is the apache2.service file (on Ubuntu 20.04): [Unit] Description=The Apache HTTP Server After=network.target remote-fs.target nss-lookup.target Documentation=https://httpd.apache.org/docs/2.4/ [Service] Type=forking Environment=APACHE_STARTED_BY_SYSTEMD=true ExecStart=/usr/sbin/apachectl start ExecStop=/usr/sbin/apachectl stop ExecReload=/usr/sbin/apachectl graceful PrivateTmp=true Restart=on-abort [Install] WantedBy=multi-user.target and we can see that NoNewPrivileges is not set, nor [a field with a similar side effect as listed on Freedesktop](https://www.freedesktop.org/software/systemd/man/systemd.exec.html#Security) . How do I get the setuid()/setgid() functions to work in newer versions of Apache2?

Using the following rsync command, the RWX permissions are being correctly set for both files and directories but the sticky bit options are not. rsync -rtvz --partial-dir=.rsync-partial --chmod=Da+t,Dg+s,D770,F0740 --progress --stats -e 'ssh -p 19419' "/home/me/test_dir" me@REMOTE_HOST:~ I understand that the options should act as below: Da+t - all dirs should have sticky bit set (only the root user, the owner of the directory, and the owner of a file can remove files within said directory.) Dg+s - all dirs should have setGID (all files created within said directory inherit the group ownership of that directory) but sticky bits and setGID bits are not set on the REMOTE_HOST dirs with the above command. If I ssh to the REMOTE_HOST and run something like chmod -R a+t test_dir then the sticky bits will be set as expected. Where am I going wrong? Edit: I also separately tried just "--chmod=Da+t,Dg+s", "--chmod=Da+t" "--chmod=Dg+s" "--chmod=a+t" and no sticky bits are set with any of these options. (Ubuntu 16.04, rsync 3.1.1 - I took the chmod options straight from the man page)

I have an executable binary which was compiled from a C source file The executable has the setuid permission on I noticed that, if the owner of the executable is **root**, I can use

setuid(geteuid());

when compiling the file to set the *real UID* of my the process running the executable to be **root**. Then, anyone who runs the executable can run it as **root**. However, I noticed that only happens when the owner of the executable is **root**. It did not work when I tried to give **test_user** ownership of the executable (and fixing permissions to contain setuid again). After reading these documentation pages ((https://man7.org/linux/man-pages/man2/setuid.2.html) , (https://man7.org/linux/man-pages/man2/setreuid.2.html) , (https://man7.org/linux/man-pages/man2/setresuid.2.html)) and reading [this post](https://unix.stackexchange.com/questions/548480/why-doesnt-setuid-work-with-non-root-users) , I noticed that setuid(new_euid) is meant to change the *effective UID* instead of the *real UID* of the process running the exectuable. It just happens that, under particular circumstances (*effective UID* is root), setuid(new_euid) also sets the *real UID* and *saved UID* of the process running the executable to new_euid. I solved the issue by using setreuid instead of setuid, as follows:

setreuid(geteuid(), geteuid());

Which allowed me to set the *real UID* of the process to be the *effective UID* (owner of the executable) and reset *effective UID* to it's value (redundant). I understand that setuid() will work under certain conditions, but is not less confusing and more appropriate to just use setreuid(), setresuid(), or seteuid() when changing *real UID*, *saved UID*, or *effective UID* is desired since they always work? Moreover: I understand that seteuid() appears to be doing the same as setuid() with the difference explained [here](https://stackoverflow.com/questions/33076543/setuid-vs-seteuid-function) (*effective UID* is root). This is supposed to not allow root priviledged programs regain priviledges after dropping them (because all 3 UIDs would be changed to the same value using setuid())? So should I just use setuid() for root priviledged programs even when it is not as clear compared to setresuid() for example? I see that setuid() can be secure since it doesn't allow root priviledged programs regain priviledges once droped, but that behavior can be implemented using the other mentioned functions with less confussion. Another thing getuid() returns the *real UID* of the process while setuid() is meant for modifying *effective UID* (unless priviledged), which is also confusing.

Hello I want to understand the role of the chmod g+s command in Unix. I also would like to know what it does in this particular context:

cd /home/canard;
touch un;
chgrp canard .;
chmod g+s .;
touch deux ;

I understand all the commands roles except for chmod g+s and I want to know the differences between the files un and deux resulting from this series of commands.

I can't set other's setuid bit. Why? Is there some security lock? $ ls -l -rwxrwxr-x 1 allexj allexj 16784 Mar 11 17:30 a.out $ chmod o=+s a.out $ ls -l -rwxrwx--- 1 allexj allexj 16784 Mar 11 17:30 a.out

Assume you are user x, so running id gives

uid=1001(x) gid=1001(x) groups=1001(x)

And there is also a user y with

uid=1002(y) gid=1002(y) groups=1002(y)

Now as root we create a file readme in user's x home directory like this:

# cd /home/x
# touch readme
# echo "hello" > readme
# chown root:y readme
# chmod 640 readme

And we make a copy of less

# cd /home/x
# cp /usr/bin/less .
# chown y:x less
# chmod 6110 less

**I would expect user x to be able to read readme by running ./less readme** because of the setuid and setgid, but I get a "permission denied" error. **Why?** This is my logic, but probably something is wrong. chmod 6110 gives *only* execution rights to the owner (y) and members of the group (x). Since user x belongs to group x, he can execute less. Then the setuid makes the effective UID to be the same as y, and the setgid makes the effective GID the same as the group of the owner, again y. And since readme's group is y, less should have read permission.

What is the best way to share a directory between multiple Linux users? Say I have a directory at /foo (a regular directory no NFS or else) and a bunch of users added to the group bar. What I want is this behavior: 1. all users in bar can read/write files and directories in /foo 2. any files and directories created in /foo is automatically readable/writable by all users in bar I am not sure what is the best way to do this: 1. I can set the group of /foo and its initial content to be in the bar group with chown -R :bar and set the setgid it on these with chmod -R g+s. I leave the umask to the default (02). There may be weird side effects to setgid on files too (the libmagic filetype get prefixed with setgid, with unpredictable results for apps that use this). 2. Or I set the umask to something else for all users (say 03 or 07) but I am not sure I can get the right sharing to take place short of also using the setgid bit. My question: what is the best, cleanest and idiomatic way to achieve this file sharing setup reliably? PS: I wrote in the title "peacefully sharing a directory" as a tongue-in-cheek and by this I mean reliably and consistently. I think I have never been able to achieve this sharing reliably without rogue files popping up and not being accessible to the group with any setting I could try.

>To allow write access to a specific group, shared files/folders can be made writeable by default for everyone in this group and the owning group can be automatically fixed to the group which owns the __parent directory__ by setting the setgid bit on this directory: > >chmod g+s our_shared_directory > >Otherwise the file creator's default group (usually the same as the user name) is used. The above quote is from Arch Linux Wiki . It is not clear to me how to make shared files and folders. Say user __A__ and __B__ both belong to a common group __G__. Now how do I create our_shared_directory such that by default everyone in __G__ has write permission? Second, why do I need setgid on our_shared_directory? Why do I need to make the owning group fixed to group of the __parent directory__ of our_shared_directory?