Instead of allowing end users to share files within their home directories, a more secure approach is to designate specific folders for that purpose. For example, a system may have a top level folder called /shared, where its ownership is root:root, and its permission set to rwxr-x--x. This means everyone can traverse (access) its subfolders as “others”, but no one (other than root) can list what is available.
Next, for each collection of users who need to share files, create a subfolder under /shared. The default permission to these folders should be set to rwxr-x---, which grants all rights to their user owners, read-only rights to group owners, and no access to “others”.
The ownership can, then, be set to something like writer:reader, where writer refers to the user owner who is permitted to create content, and reader refers to the group of users who is only permitted to read content. What if there are multiple users who are allowed to write to the folder?
In the case that multiple users may need to write, and yet some other users are only allowed to read, just the ownerships and permissions are not sufficient to deal with access control. There are two solutions when this need arises.