Trouble with Linux ACLs

Collapse
X
 
  • Time
  • Show
Clear All
new posts
  • Spork Schivago
    Badcaps Legend
    • Mar 2012
    • 4734
    • United States of America

    #1

    Trouble with Linux ACLs

    Hi,

    I'm trying to learn about ACLs in Linux. I've created a directory, /root/how-to\'s. I want it to have the file permissions 600. But I also want all files and directories that are created under the /root/how-to\'s directory to have the same file permissions. So, I type this:

    Code:
    root@franklin:[~]# setfacl -b how-to\'s/
    root@franklin:[~]# setfacl -Rdm u:root:rw how-to\'s
    root@franklin:[~]# getfacl how-to\'s
    # file: how-to's
    # owner: root
    # group: root
    user::rw-
    group::---
    other::---
    default:user::rw-
    default:user:root:rw-
    default:group::---
    default:mask::rw-
    default:other::---
    And I think, okay, we're good.

    Then I go into the how-to\'s directory and touch a file called file and then I list the file
    Code:
    root@franklin:[~/how-to's]# touch file
    root@franklin:[~/how-to's]# ls -ld file 
    -rw-rw----+ 1 root root 0 Dec 9 17:50 file
    But much to my surprise, the file is created with group read / write permissions, so the file has permissions 660, instead of 600.

    Any ideas what I'm doing wrong and what the proper setfacl command is? I even tried setting the group permission to ---, but still, no luck.

    Thanks
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
  • stj
    Great Sage 齊天大聖
    • Dec 2009
    • 30955
    • Albion

    #2
    Re: Trouble with Linux ACLs

    use chmod ??

    Comment

    • Spork Schivago
      Badcaps Legend
      • Mar 2012
      • 4734
      • United States of America

      #3
      Re: Trouble with Linux ACLs

      Originally posted by stj
      use chmod ??
      No, I want to do this with ACL's. I could set the umask as well. I don't want to use chmod, because I'd have to use it on all the files I create. I could use the sticky bit I guess, but my understanding is this should be possible with ACL's and I'd really like to learn them.

      Do you see anything wrong with my ACL statement?
      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

      Comment

      • stj
        Great Sage 齊天大聖
        • Dec 2009
        • 30955
        • Albion

        #4
        Re: Trouble with Linux ACLs

        no idea - never tried it.

        Comment

        • Spork Schivago
          Badcaps Legend
          • Mar 2012
          • 4734
          • United States of America

          #5
          Re: Trouble with Linux ACLs

          Stj, you should check them out. You can set file permissions just like you would with chmod. If an ACL is set, the directory / file listing will that have + symbol, as shown in the first post.

          You can do really cool things. With chmod, you just set permissions. With chown, you set the group and the file. But you're kinda limited. What happens if you have three users, one that you want to have read access only, two that you want to have read/write access? You could make one the owner of the file and add the other two to a group, but ACLs are much easier.

          You can tell the file, okay, user one has this access, user two and three have this access, user four have has this access, group 1 has this access, group 2 has this access, etc, etc.
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment

          • stj
            Great Sage 齊天大聖
            • Dec 2009
            • 30955
            • Albion

            #6
            Re: Trouble with Linux ACLs

            that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.

            Comment

            • Spork Schivago
              Badcaps Legend
              • Mar 2012
              • 4734
              • United States of America

              #7
              Re: Trouble with Linux ACLs

              Originally posted by stj
              that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.
              What do you mean that's not file flags? An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. What I want to do should be very easy to do with ACLs, from what I've read. I've followed the various tutorials and it appears to be working to some degree, it's just setting the group read / write bits, which I don't want set. Makes me wonder if setting the ACL will mess up the meaning of the numbers. Notice the +, that tells us the file / dir has an ACL set. Maybe ls -l isn't supposed to be used to check for permissions once an ACL is set and I'm just supposed to use that getfacl program

              ACLs are dependent on the filesystem. The filesystem has to support them and by default (at least on OpenSuSE), ext4 does. In /etc/fstab, my default, unedited entry is:
              Code:
              UUID=3c6e7faf-093a-49df-83db-ca247620f093 /          ext4    acl,user_xattr    1 1
              The acl tells mount to support ACL, I believe.

              ACL support also needs to be compiled into the kernel or compiled as a module, for the filesystems that support it.

              I'm not sure where they're physically stored. I believe almost all major Linux operating systems support ACL. I think you could test to see if you have ACL support on your system by running something like:
              Code:
              tune2fs -l /dev/sda | grep acl
              Where /dev/sda is the hard drive you have mounted.
              -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

              Comment

              • Spork Schivago
                Badcaps Legend
                • Mar 2012
                • 4734
                • United States of America

                #8
                Re: Trouble with Linux ACLs

                I tried something different and it seems to be working as expected now:
                Code:
                # Clear the ACL on the how-to\'s directory.
                setfacl /root/how-to\'s
                
                # set the ACL for all users as rw on the how-to\'s directory.
                # -R = recursive (so all directories and subdirectories created in the future with inherit the ACL, not
                #   just the files in the how-to\'s directory.
                # -d = default. All operations apply to the Default ACL
                # -m = modify the ACL of a directory or file.
                setfacl -Rdm u::rw /root/how-to\'s
                I just picked u for user and didn't actually specify any user. I said to always set the read / write permissions whenever a file or directory is created. To test, I ran mkdir a few times and touch:
                Code:
                root@franklin:[~/how-to's]# touch test1
                root@franklin:[~/how-to's]# mkdir test2
                root@franklin:[~/how-to's]# mkdir test2/test3
                root@franklin:[~/how-to's]# touch test2/test3/test4
                root@franklin:[~/how-to's]# ls -ld test1 test2 test2/test3 test2/test3/test4
                -rw------- 1 root root  0 Dec 10 01:04 test1
                drw-------+ 3 root root 4096 Dec 10 01:04 test2
                drw-------+ 2 root root 4096 Dec 10 01:04 test2/test3
                -rw------- 1 root root  0 Dec 10 01:04 test2/test3/test4
                I guess I just don't understand why it wasn't working when I was specifying the user root....
                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                Comment

                • Spork Schivago
                  Badcaps Legend
                  • Mar 2012
                  • 4734
                  • United States of America

                  #9
                  Re: Trouble with Linux ACLs

                  Ah! maybe this is why.
                  Code:
                  root@franklin:[~]# getfacl how-to\'s
                  # file: how-to's
                  # owner: root
                  # group: root
                  user::rw-
                  group::---
                  other::---
                  default:user::rw-
                  default:group::---
                  default:other::---
                  The umask is missing from the getfacl output. I bet that was what was somehow setting the group permissions to read / write.
                  -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                  Comment

                  • Spork Schivago
                    Badcaps Legend
                    • Mar 2012
                    • 4734
                    • United States of America

                    #10
                    Re: Trouble with Linux ACLs

                    Another way to do what I'd want would be to set the umask, however, on certain systems with certain setups, this might be a bad idea.

                    The umask is just kinda like the inverse of the file permissions you set with chmod.

                    For example, a umask of 022 would be a chmod of 755, or owner has RWX, group has RX, and other has RX. On the Linux system's I've played with, you can set the umask globally in /etc/profile.

                    On my CentOS system, I had originally set the umask so files, by default, would be created with the 660 permissions (owner had RW, group had RW but other had no access). Directories always had the X bit set, otherwise, you get weird errors on CentOS. Anyway, cPanel depends on a normal umask, which is kind of stupid, if you ask me. What's the sense in having a umask if you can't change it? I think the cPanel scripts should be setting the umask before they run, if the umask matters. Anyway, because of this, I couldn't change the umask without breaking my system. The ACL works fine though.
                    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                    Comment

                    Related Topics

                    Collapse

                    • trix11
                      Dell Precision T1650 MT Workstation bricked after BIOS update
                      by trix11
                      I have a Dell Precision T1650 MT workstation (of the following spec.) that was bricked yesterday when attempting to update the BIOS from A27 to A28 per:
                      - https://www.dell.com/support/home/en...-t1650/drivers > Dell Precision T1650 System BIOS

                      - Dell Precision T1650 mid tower Workstation
                      - Xeon E3-1225 V2
                      - 32Gb PC3-12800E RAM
                      - 4Tb SATA HDD
                      - motherboard: Dell part: 0C3YXR CN-0C3YXR-72200-39C-01GR-A02

                      I see now that others have experienced like issues e.g.:
                      - https://www.dell.com/community/Prec...
                      10-24-2022, 10:35 PM
                    • Forest79
                      Lenovo ThinkStation P520 BIOS file needed
                      by Forest79
                      Hello,

                      I got a Lenovo ThinkStation P520 (Type 30BF) from a friend, asking me for a repair. Windows 11 offered a firmware upgrade as an optional update, and it failed.
                      The emergency flash procedure from the hardware manual has also failed. So, I asked an acquaintance with better skills to flash the BIOS directly.

                      However, the chip (a Macronix MX25L25673GMI-08G) has a size of 32 MB, and the BIOS file from the Lenovo website (extracted with UEFITool) has a little more than 16 MB. Thus, the software my acquaintance used (SiberiaProg v1.45, with a CH341A Programmer)...
                      07-23-2023, 07:39 AM
                    • hazem3636
                      need Bios Bin file Dell server 220
                      by hazem3636
                      hi everyone

                      i need dump file for dell server r220
                      i have download Flash BIOS executable file but i dont know how to conver it to Bin file

                      i have check on youtube there is some programs are doing this method of creating Bin file from ExE file .


                      if anyone has this method please need his supporting .

                      all the best

                      EXE file is attched and Original Bin file from the Bios Chip is attached also

                      and dell website "https://www.dell.com/support/home/en-us/drivers/driversdetails?driverid=mrxv...
                      11-05-2022, 06:20 AM
                    • traxformania
                      TONGFANG "GM7TG7P" Bios Password Problem?
                      by traxformania
                      Hello,

                      I'm using TONGFANG "GM7TG7P" model laptop for over 3 years and i'm entering the same bios administrator password everyday. My laptop has Aptio BIOS (American Megatrends, AMI).

                      But today it's not accepting my password. I'm %100 sure i'm entering the correct password.

                      I'm trying to reset my bios without success.

                      I tried :

                      -I removed the BIOS battery and main battery. Waited for a long time but it didn't work. They already stated in the user manual that the password will not be reset even if the batteries...
                      11-15-2023, 07:32 AM
                    • Sebastian Codrean
                      BIOS file for ASUS F542UN laptop
                      by Sebastian Codrean
                      Hello to all of you! I need help with a BIOS file.
                      The BIOS chip is fried on my Asus F542UN laptop, and I bought a new chip that needs programming. I have a CH341a programmer but I need a .bin BIOS file. On Asus support page the firmware has another extension, .310 and from reading on this forum I understand that that file is not complete BIOS.
                      So, in short I need the "complete" BIOS .bin file to flash on the new chip. Another issue is that on back of the case the label says F542UN but on the sticker on the motherboard it's X542UN.
                      02-20-2025, 10:25 AM
                    • Loading...
                    • No more items.
                    Working...