You want group1 to have read/write access to a particular folder.
You want group2 to have read-only access to that folder.
You don't want others to have read access to that folder.
By default, Linux's permission system does not allow for this. The reason is simple: for each inode there are only three bits (rwx) that describe permissions for a particular group, namely the group that owns the file/directory referred to by that inode. Any user who is not the owner nor belongs to that group automatically falls under others. In practice this is most often sufficient, but in some rare cases it may not be.
The good news is that Linux actually supports ACLs (access control lists), which allow for a much more fine-grained access control. In order to enable ACLs, you have to add acl to the mount options. For instance, if the partition that contains the directory where you want to set up advanced access control is mounted like this in /etc/fstab:
/dev/sda1 / ext4 defaults 0 1
...you would change that to:
/dev/sda1 / ext4 acl,defaults 0 1
Then you need to remount the filesystem (e.g., mount -o remount /dev/sda1), or simply reboot.
Next let's make sure your folder /path/to/folder grants read/write access for group1. The permissions should look something like
drwxrwx--- 2 owner group1 4096 Dec 14 02:42 folder
Additionally, you want to grant read access for group2, and no access at all for others. To achieve this, issue the command
setfacl -m g:group2:rx /path/to/folder
That's it. You can look into the ACL permissions of that folder later by using getfacl, namely:
Let me get this straight:
You want
group1to have read/write access to a particular folder.You want
group2to have read-only access to that folder.You don't want
othersto have read access to that folder.By default, Linux's permission system does not allow for this. The reason is simple: for each inode there are only three bits (
rwx) that describe permissions for a particular group, namely the group that owns the file/directory referred to by that inode. Any user who is not the owner nor belongs to that group automatically falls underothers. In practice this is most often sufficient, but in some rare cases it may not be.The good news is that Linux actually supports ACLs (access control lists), which allow for a much more fine-grained access control. In order to enable ACLs, you have to add
aclto the mount options. For instance, if the partition that contains the directory where you want to set up advanced access control is mounted like this in/etc/fstab:...you would change that to:
Then you need to remount the filesystem (e.g.,
mount -o remount /dev/sda1), or simply reboot.Next let's make sure your folder
/path/to/foldergrants read/write access forgroup1. The permissions should look something likeAdditionally, you want to grant read access for
group2, and no access at all forothers. To achieve this, issue the commandThat's it. You can look into the ACL permissions of that folder later by using
getfacl, namely:More information here: ACLs: Extended file-permissions.
These commands should work:
This will hopefully provide read & write access to the owner and the group, and read-only access to 'Others' which should include Group2.
chmodmanual page here.chownmanual page here.To reset any changes so only the owner has access, run: