Ubuntu – Give user access to directory in another user’s home folder


I have a directory inside my home folder that I'd like another user to be able to access. I created a group for him and we both joined it, and I did

sudo chgrp -R group folder/

He still cannot get into the directory, getting permission denied. I also did

sudo chmod -R 777 folder/

To no avail. Why isn't this wokring? Thanks.

Best Answer

Did you check that he has execute permission to the parent directories ? Otherwise it won't work.

More precisely, along the path a user takes to reference a filesystem object, all directories in-between must have execute permission set for him. In practice, it will often be better to give the read permission as well, since giving only the execute permission would work only if the accessing user progresses to the desired directory without being able to look into those intermediate directories, which is not how things go when using a file manager or shell completion (tab), for example.

If you don't mind everybody else having read+exec access to the parent directories, you may be happy with a chmod o+rx on those directories, or you will have to chgrp those directories as well and chmod g+rx.

Or... OR... you can use... POSIX ACLs !

You can use the setfacl and getfacl commands, or use Eiciel (apt install eiciel), the gnome file ACL editor, to set those ACLs. Among other things, POSIX ACLs enable granting/revoking rights to specific users and groups, not having to stick to the traditional UNIX "ugo" permission model. More in the NTFS way, if you don't find the comparison too obscene.

man acl may help you, but man setfacl seems more interesting, as it covers Linux-specific parts such as so-called default ACLs, that are inherited by filesystem objects created in a directory.

So for example, if you want to give user bob the "rwx" permissions on directory "work", with default (inherited) "r" permissions, type :

setfacl -m u:bob:rwx,d:u:bob:r work

You still have to give bob the read+execute permission on whatever directories he may have to cross to reach "work" though (if he doesn't have those rights already) :

setfacl -m u:bob:rx intermediate_directory

As a side note, POSIX ACLs are not new. I remember using them on a Digital Unix system more than twenty years ago. However, the system forgot resetting those ACLs on TTY allocation/deallocation, only the traditional rights, which enabled a few exploits in those old times when device files were statically created...

EDIT : Instead of having to give +rx rights on intermediate directories, you can remount the target directory somewhere else on the filesystem. Let's suppose you have a directory "work", whose absolute path is /x/y/z/work, and you don't want to modify the rights on x, y or z. You can create a /shared/work directory, and remount /x/y/z/work there, using :

mkdir -p /shared/work
mount --bind /x/y/z/work /shared/work

That wouldn't survive across reboots though, so in case you want it to persist, append the following line to /etc/fstab :

/x/y/z/work /shared/work none bind

Doing that will make the work directory contents reachable through /x/y/z/work and /shared/work as well.

But of course, if you don't mind moving /x/y/z/work to some other place :

mkdir /shared
mv /x/y/z/work /shared

is the simplest and best way.

Related Question