Unix shared directory permissions: GUID and umask

June 10, 2009 software mercurial unix

Summary

To set up a Mercurial repository with shared group access, first create a new group and add relevant users to it using `groupadd` and `usermod`. Change the project directory's ownership to this group and modify its permissions to restrict access to group members with `chown` and `chmod`. Then, set the Set-GUID (SGID) bit on directories to ensure new files inherit group ownership with `chmod g+s`. Lastly, modify the global `umask` setting from `022` to `002` in `/etc/profile` to enable group read/write permissions for new files, although a more directory-specific solution is preferred.

I setup my Mercurial repository in the same way we used to do CVS, then SVN: A directory owned by a group, with the GUID bit, and all users who need to commit are in that group.

The steps are, create the group and add relevant users to it:

sudo groupadd topsecretgroup
sudo usermod -a -G topsecretgroup graham

Change the project directory to be owned by that group, and accessible by no-one else:

cd topsecretproject/
sudo chown graham:topsecretgroup -R .
sudo chmod g=u,o= -R .

Set the GUID bit on all the directories, so that new files and directories are created owned by the group:

find . -type d | sudo xargs chmod g+s

Change the umask for everyone, so that new files are created with read and write permissions for the group:

sudo vim /etc/profile

Change umask 022 to umask 002

The last part, changing the umask, isn’t ideal. It works on Debian and Ubuntu, because every user has their own group. I would rather a more focused solution, just for that directory – suggestions welcome.

References:

Mercurial and permissions Multiple Committers Change Ubuntu global umask Collaboration models

Graham King