Apr 272016

Found this helpful information on StackExchange.

Say I have 2 groups and a user: group1, group2.
user1 with the following structure: user1 is a member of group1
[group1 is a member of group 2] (Cannot nest groups in Linux, UNIX)

Example: following files with relevant permissions

file1 root:group1 660
file2 root:group2 660

When I log into user1, I’m able to edit file1, but not edit file2. Short of adding user1 to group2, is there any way of doing this or is there no way?

There is no such thing as a group being a member of a group. A group, by definition, has a set of user members. I’ve never heard of a feature that would let you specify “subgroups” where members of subgroups are automatically granted membership into the supergroup on login. If /etc/group lists group1 as a member of group2, it designates the user called group1 (if such a user exists, which is possible: user names and group names live in different name spaces).

If you want user1 to have access to file2, you have several solutions:

Make file2 world-accessible (you probably don't want this)
Make user1 the owner of file2: chown user1 file2
Add user1 to group2: adduser user1 group2
Add an ACL to file2 that grants access to either user1 or group`:

setfacl -m user:user1:rw file2
setfacl -m group:group1:rw file2
See Make all new files in a directory accessible to a group on enabling ACLs.
If at all possible, use access control lists (ACL).

Under Linux, make sure that the filesystem you’re using supports ACLs (most unix filesystems do). You may need to change the mount options to enable ACLs: with ext2/ext3/ext4, you need to specify the acl mount option explicitly, so the entry in /etc/fstab should look like /dev/sda1 / ext4 errors=remount-ro,acl 0 1. Run mount -o remount,acl / to activate ACLs without rebooting. Also install the ACL command line tools getfacl and setfacl, typically provided in a package called acl.

Now that the one-time setup is over, change the directory’s ACL to give the group write permissions and to make these permissions inherited by newly created files. Under Linux:

setfacl -d -m group:G:rwx /path/to/directory
setfacl -m group:G:rwx /path/to/directory

If ACLs are not an option, make the directory owned by the group G, and set its permissions to 2775 or 2770: chmod g+rwxs /path/to/directory. The s here means the setgid bit; for a directory, it means that files created in this directory will belong to the group that owns the directory.

You’ll also need to set A and B’s umask to make all their files group-writable by default. The default umask on most systems is 022, meaning that files can have all permissions except write by group and other. Change that to 002, meaning to forbid only write-by-other permission. You would typically put that setting in your ~/.profile:

umask 002 # or 007 to have files not readable by others