The next act in our scenario involves creating a shared directory that all the members of our marketing department can use. Now, this is another one of those areas that engenders a bit of controversy. Some people like to put shared directories in the root level of the filesystem, while others like to put shared directories in the /home directory. Some people even have other preferences. But really, it’s a matter of personal preference and/or company policy. Other than that, it really doesn’t much matter where you put them. For our purposes, to make things simple, I’ll just create the directory in the root level of the filesystem:
[donnie@localhost ~]$ cd / [donnie@localhost /]$ sudo mkdir marketing [sudo] password for donnie: [donnie@localhost /]$ ls -ld marketing drwxr-xr-x. 2 root root 6 Nov 13 15:32 marketing [donnie@localhost /]$
The new directory belongs to the root user. It has a permissions setting of 755, which permits read and execute access to everybody and write access only to the root user. What we really want is to allow only members of the marketing department to access this directory. We’ll first change ownership and group association, and then we’ll set the proper permissions:
[donnie@localhost /]$ sudo chown nobody:marketing marketing [donnie@localhost /]$ sudo chmod 770 marketing [donnie@localhost /]$ ls -ld marketing drwxrwx---. 2 nobody marketing 6 Nov 13 15:32 marketing [donnie@localhost /]$
In this case, we don’t have any one particular user that we want to own the directory, and we don’t really want the root user to own it. So, assigning ownership to the nobody pseudo-user account gives us a way to deal with that. I then assigned the 770 permissions value to the directory, which allows read/write/execute access to all marketing group members, while keeping everyone else out. Now, let’s let one of our group members log in to see if she can create a file in this directory:
[donnie@localhost /]$ su - vicky Password: [vicky@localhost ~]$ cd /marketing [vicky@localhost marketing]$ touch vicky_file.txt [vicky@localhost marketing]$ ls -l total 0 -rw-rw-r--. 1 vicky vicky 0 Nov 13 15:41 vicky_file.txt [vicky@localhost marketing]$
Okay, it works – except for one minor problem. The file belongs to Vicky, as it should. But, it’s also associated with Vicky’s personal group. For the best access control of these shared files, we need them to be associated with the marketing group.