Unix Groups

The primary use of Unix Groups is to assign “group ownership” of files and directories. You can configure this in the panel on the (Panel > 'Users' > 'Unix Groups') page. However, please note that only users with Enhanced User Security disabled can have their user group changed.

Creating a Unix Group

To use UNIX Groups to give individual FTP users access to specific subdirectories of a website:

  1. Navigate to the (Panel > 'Users' > 'Manage Users') page.
  2. Create a few users with Shell access. View the Enabling Shell Access article for instructions.
    • In this example, the new Shell users 'webmaster_unixgroup' and 'contributor_unixgroup' are named.

    Make sure Enhanced User Security is disabled on each Shell user or the following steps will not function.

  3. Navigate to the (Panel > 'Domains' > 'Manage Domains') page.
  4. Assign your domain to the new Shell user you just created named 'webmaster'. View the following article for instructions:
  5. Navigate to the (Panel > 'Users' > 'Unix Groups') page.
    01 Unix Groups.fw.png
  6. Click the Add Custom Group button.
    02 Unix Groups.fw.png
  7. Create a group with both users in it. For example, you can name it "contributor_group".

    In this example the following names are used:

    • Unix group name – 'contributor_group_test'.
    • The two users are named 'webmaster_unixgroup' and 'contributor_unixgroup'
    After clicking Add Custom Group! the following confirmation message appears:
    03 Unix Groups.fw.png
  8. SSH to the server as your 'webmaster' Shell user and then give the "contributor_group_test" access to whichever directory you want the user "contributor_unixgroup" to access. For example, give the user 'contributor_unixgroup' user access to the directory named '/contributor_dir'.
    [server]$ chgrp -R contributor_group_test contributor_dir

    If you only use the command 'chgrp' it only changes the permissions on the single directory named /contributor_dir. If you want all subdirectories to also change permissions, make sure to add the -R option.

  9. While still logged in as "webmaster", give the group (and all users in it) the desired level of access for that directory.
    • To provide full read/write/execute access to /contributor_dir and all of its subdirectories and files, run this command:
    [server]$ chmod -R g+rwxs contributor_dir
  10. Exit the session and then log back in as 'contributor_unixgroup'.
  11. Make a symbolic link (i.e., a shortcut) to the directory with this command:
    [server]$ ln -s /home/webmaster_unixgroup/example.com/contributor_dir /home/contributor_unixgroup/

    Note the space after the remote path, but just before the local /home/<username>/ path, which creates a symbolic link called "contributor_dir" in the home directory of 'contributor_unixgroup'.

    04 Unix Groups.fw.png

To upload or download files, 'contributor_unixgroup' must use SFTP, because FTP does not work with symbolic links.

Caveats

  • If you have any .cgi files, the above command makes them fail to run and generates HTTP 500 errors. Be sure that you leave the group for the .cgi and its parent directory as the default group. In other words, if your .cgi file is in /home/joe/example.com/cgi/fun.cgi then the following directories/files must be joe's default group:
    • /home/joe/example.com/cgi
    • /home/joe/example.com/cgi/fun.cgi.
  • Some file servers have an internal limit of 16 groups. If you are in more than 16 groups, only the first 16 (as listed by the "groups" command) are considered.

Fundamentals of Unix Groups at DreamHost

  • Every DreamHost shared hosting account has a Unix Group in the form of pg####### (where each # is a [0-9] digit):
  • This group is called "a default group" and there is exactly 1 per account.
  • Every Unix User and every Mailbox belonging to the account is a member of this group. Your files and folders are not shared outside of your account.
  • Each Unix User's default Unix Group is entirely determined by the Unix User's Enhanced User Security check-box option.
- If Enhanced User Security is NOT selected, the default pg####### group is the user's group and its permissions are 751.
- If Enhanced User Security IS selected, the user's home directory has its permissions set to 710 and its group is changed to "adm".
  • None of the above can be changed except Enhanced User Security.
  • Every Unix Group of an account can contain any subset (combination) of Unix users which belong to that same DreamHost account.
  • Unix Groups cannot be nested.

Advanced: Protecting your files from other members of your group

The following sections are for advanced users with a solid knowledge of the Unix command-line.

Option one: chgrp

To keep other members of your group from accessing your files, you can create a new group in the panel and add only yourself to the group. Then, change the group of all of your files that you want to protect:

[server]$ chgrp -R my_group /home/user/directory

The down side to this is that you have to chgrp any new files when they are created in order to continue protecting them.

Option two: chmod g-x

To keep everyone from your group out, you can also use this method. Simply remove execute permissions from the directory you want to protect:

[server]$ chmod g-x /home/user/directory

The down side to this is that you have to remember:

  • to do this for every folder that you create, and
  • not to do it to any of your web folders.

Option three: SetGID bit

Set the GID bit on your root folder and any already existing folders:

[server]$ chgrp -R <my_group> ~/
find ~/ -xdev -user <username> -group <my_group> -type d -print -exec chmod +s {} \;

Line #1 of this changes the group ownership of all 'files' and 'folders' (within your home folder ~/) to the specified <my_group>.

Line #2 'sets the GID bit' for all the 'folders' within your home folder and it's subfolders. In particular, it modifies all that are owned by the specified <my_group> which should be all of them if the command from line #1 was executed successfully. Setting the GID bit on a folder changes it such that subsequently any folders or files created within it will be owned by the specified <my_group>.

The down side to this is that if the group of a folder is ever changed, it loses the GID flag and anything under that folder is now created with your default (pg#######) group again.

See also