Announcement

Collapse
No announcement yet.

Trouble with Linux ACLs

Collapse
X
Collapse
 
  • Page of 1
  • Filter
  • Time
  • Show
Clear All
new posts
Previous template Next
    #1

    Trouble with Linux ACLs

    Hi,

    I'm trying to learn about ACLs in Linux. I've created a directory, /root/how-to\'s. I want it to have the file permissions 600. But I also want all files and directories that are created under the /root/how-to\'s directory to have the same file permissions. So, I type this:

    Code:
    root@franklin:[~]# setfacl -b how-to\'s/
root@franklin:[~]# setfacl -Rdm u:root:rw how-to\'s
root@franklin:[~]# getfacl how-to\'s
# file: how-to's
# owner: root
# group: root
user::rw-
group::---
other::---
default:user::rw-
default:user:root:rw-
default:group::---
default:mask::rw-
default:other::---
    And I think, okay, we're good.

    Then I go into the how-to\'s directory and touch a file called file and then I list the file
    Code:
    root@franklin:[~/how-to's]# touch file
root@franklin:[~/how-to's]# ls -ld file 
-rw-rw----+ 1 root root 0 Dec 9 17:50 file
    But much to my surprise, the file is created with group read / write permissions, so the file has permissions 660, instead of 600.

    Any ideas what I'm doing wrong and what the proper setfacl command is? I even tried setting the group permission to ---, but still, no luck.

    Thanks
    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full
    Tags: None
    #2
    Re: Trouble with Linux ACLs

    use chmod ??

    Comment

      #3
      Re: Trouble with Linux ACLs

      Originally posted by stj View Post
      use chmod ??
      No, I want to do this with ACL's. I could set the umask as well. I don't want to use chmod, because I'd have to use it on all the files I create. I could use the sticky bit I guess, but my understanding is this should be possible with ACL's and I'd really like to learn them.

      Do you see anything wrong with my ACL statement?
      -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

      Comment

        #4
        Re: Trouble with Linux ACLs

        no idea - never tried it.

        Comment

          #5
          Re: Trouble with Linux ACLs

          Stj, you should check them out. You can set file permissions just like you would with chmod. If an ACL is set, the directory / file listing will that have + symbol, as shown in the first post.

          You can do really cool things. With chmod, you just set permissions. With chown, you set the group and the file. But you're kinda limited. What happens if you have three users, one that you want to have read access only, two that you want to have read/write access? You could make one the owner of the file and add the other two to a group, but ACLs are much easier.

          You can tell the file, okay, user one has this access, user two and three have this access, user four have has this access, group 1 has this access, group 2 has this access, etc, etc.
          -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

          Comment

            #6
            Re: Trouble with Linux ACLs

            that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.

            Comment

              #7
              Re: Trouble with Linux ACLs

              Originally posted by stj View Post
              that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.
              What do you mean that's not file flags? An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. What I want to do should be very easy to do with ACLs, from what I've read. I've followed the various tutorials and it appears to be working to some degree, it's just setting the group read / write bits, which I don't want set. Makes me wonder if setting the ACL will mess up the meaning of the numbers. Notice the +, that tells us the file / dir has an ACL set. Maybe ls -l isn't supposed to be used to check for permissions once an ACL is set and I'm just supposed to use that getfacl program

              ACLs are dependent on the filesystem. The filesystem has to support them and by default (at least on OpenSuSE), ext4 does. In /etc/fstab, my default, unedited entry is:
              Code:
              UUID=3c6e7faf-093a-49df-83db-ca247620f093 /          ext4    acl,user_xattr    1 1
              The acl tells mount to support ACL, I believe.

              ACL support also needs to be compiled into the kernel or compiled as a module, for the filesystems that support it.

              I'm not sure where they're physically stored. I believe almost all major Linux operating systems support ACL. I think you could test to see if you have ACL support on your system by running something like:
              Code:
              tune2fs -l /dev/sda | grep acl
              Where /dev/sda is the hard drive you have mounted.
              -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

              Comment

                #8
                Re: Trouble with Linux ACLs

                I tried something different and it seems to be working as expected now:
                Code:
                # Clear the ACL on the how-to\'s directory.
setfacl /root/how-to\'s

# set the ACL for all users as rw on the how-to\'s directory.
# -R = recursive (so all directories and subdirectories created in the future with inherit the ACL, not
#   just the files in the how-to\'s directory.
# -d = default. All operations apply to the Default ACL
# -m = modify the ACL of a directory or file.
setfacl -Rdm u::rw /root/how-to\'s
                I just picked u for user and didn't actually specify any user. I said to always set the read / write permissions whenever a file or directory is created. To test, I ran mkdir a few times and touch:
                Code:
                root@franklin:[~/how-to's]# touch test1
root@franklin:[~/how-to's]# mkdir test2
root@franklin:[~/how-to's]# mkdir test2/test3
root@franklin:[~/how-to's]# touch test2/test3/test4
root@franklin:[~/how-to's]# ls -ld test1 test2 test2/test3 test2/test3/test4
-rw------- 1 root root  0 Dec 10 01:04 test1
drw-------+ 3 root root 4096 Dec 10 01:04 test2
drw-------+ 2 root root 4096 Dec 10 01:04 test2/test3
-rw------- 1 root root  0 Dec 10 01:04 test2/test3/test4
                I guess I just don't understand why it wasn't working when I was specifying the user root....
                -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                Comment

                  #9
                  Re: Trouble with Linux ACLs

                  Ah! maybe this is why.
                  Code:
                  root@franklin:[~]# getfacl how-to\'s
# file: how-to's
# owner: root
# group: root
user::rw-
group::---
other::---
default:user::rw-
default:group::---
default:other::---
                  The umask is missing from the getfacl output. I bet that was what was somehow setting the group permissions to read / write.
                  -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                  Comment

                    #10
                    Re: Trouble with Linux ACLs

                    Another way to do what I'd want would be to set the umask, however, on certain systems with certain setups, this might be a bad idea.

                    The umask is just kinda like the inverse of the file permissions you set with chmod.

                    For example, a umask of 022 would be a chmod of 755, or owner has RWX, group has RX, and other has RX. On the Linux system's I've played with, you can set the umask globally in /etc/profile.

                    On my CentOS system, I had originally set the umask so files, by default, would be created with the 660 permissions (owner had RW, group had RW but other had no access). Directories always had the X bit set, otherwise, you get weird errors on CentOS. Anyway, cPanel depends on a normal umask, which is kind of stupid, if you ask me. What's the sense in having a umask if you can't change it? I think the cPanel scripts should be setting the umask before they run, if the umask matters. Anyway, because of this, I couldn't change the umask without breaking my system. The ACL works fine though.
                    -- Law of Expanding Memory: Applications Will Also Expand Until RAM Is Full

                    Comment

                    Previous template Next
                    Working...