Trouble with Linux ACLs

**stj** · 12-09-2016, 06:28 PM

Re: Trouble with Linux ACLs

use chmod ??

**Spork Schivago** · 12-09-2016, 06:55 PM

Re: Trouble with Linux ACLs

Originally posted by stj

use chmod ??

No, I want to do this with ACL's. I could set the umask as well. I don't want to use chmod, because I'd have to use it on all the files I create. I could use the sticky bit I guess, but my understanding is this should be possible with ACL's and I'd really like to learn them.

Do you see anything wrong with my ACL statement?

**stj** · 12-09-2016, 07:20 PM

Re: Trouble with Linux ACLs

no idea - never tried it.

**Spork Schivago** · 12-09-2016, 07:43 PM

Re: Trouble with Linux ACLs

Stj, you should check them out. You can set file permissions just like you would with chmod. If an ACL is set, the directory / file listing will that have + symbol, as shown in the first post.

You can do really cool things. With chmod, you just set permissions. With chown, you set the group and the file. But you're kinda limited. What happens if you have three users, one that you want to have read access only, two that you want to have read/write access? You could make one the owner of the file and add the other two to a group, but ACLs are much easier.

You can tell the file, okay, user one has this access, user two and three have this access, user four have has this access, group 1 has this access, group 2 has this access, etc, etc.

**stj** · 12-09-2016, 08:32 PM

Re: Trouble with Linux ACLs

that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.

**Spork Schivago** · 12-09-2016, 11:58 PM

Re: Trouble with Linux ACLs

Originally posted by stj

that's not file flags, it would be dependent on the filesystem / kernel and an access rights list on the drive someplace.

What do you mean that's not file flags? An ACL specifies which users or system processes are granted access to objects, as well as what operations are allowed on given objects. What I want to do should be very easy to do with ACLs, from what I've read. I've followed the various tutorials and it appears to be working to some degree, it's just setting the group read / write bits, which I don't want set. Makes me wonder if setting the ACL will mess up the meaning of the numbers. Notice the +, that tells us the file / dir has an ACL set. Maybe ls -l isn't supposed to be used to check for permissions once an ACL is set and I'm just supposed to use that getfacl program

ACLs are dependent on the filesystem. The filesystem has to support them and by default (at least on OpenSuSE), ext4 does. In /etc/fstab, my default, unedited entry is:

Code:

UUID=3c6e7faf-093a-49df-83db-ca247620f093 /          ext4    acl,user_xattr    1 1

The acl tells mount to support ACL, I believe.

ACL support also needs to be compiled into the kernel or compiled as a module, for the filesystems that support it.

I'm not sure where they're physically stored. I believe almost all major Linux operating systems support ACL. I think you could test to see if you have ACL support on your system by running something like:

Code:

tune2fs -l /dev/sda | grep acl

Where /dev/sda is the hard drive you have mounted.

**Spork Schivago** · 12-10-2016, 12:05 AM

Re: Trouble with Linux ACLs

I tried something different and it seems to be working as expected now:

Code:

# Clear the ACL on the how-to\'s directory.
setfacl /root/how-to\'s

# set the ACL for all users as rw on the how-to\'s directory.
# -R = recursive (so all directories and subdirectories created in the future with inherit the ACL, not
#   just the files in the how-to\'s directory.
# -d = default. All operations apply to the Default ACL
# -m = modify the ACL of a directory or file.
setfacl -Rdm u::rw /root/how-to\'s

I just picked u for user and didn't actually specify any user. I said to always set the read / write permissions whenever a file or directory is created. To test, I ran mkdir a few times and touch:

Code:

root@franklin:[~/how-to's]# touch test1
root@franklin:[~/how-to's]# mkdir test2
root@franklin:[~/how-to's]# mkdir test2/test3
root@franklin:[~/how-to's]# touch test2/test3/test4
root@franklin:[~/how-to's]# ls -ld test1 test2 test2/test3 test2/test3/test4
-rw------- 1 root root  0 Dec 10 01:04 test1
drw-------+ 3 root root 4096 Dec 10 01:04 test2
drw-------+ 2 root root 4096 Dec 10 01:04 test2/test3
-rw------- 1 root root  0 Dec 10 01:04 test2/test3/test4

I guess I just don't understand why it wasn't working when I was specifying the user root....

**Spork Schivago** · 12-10-2016, 12:07 AM

Re: Trouble with Linux ACLs

Ah! maybe this is why.

Code:

root@franklin:[~]# getfacl how-to\'s
# file: how-to's
# owner: root
# group: root
user::rw-
group::---
other::---
default:user::rw-
default:group::---
default:other::---

The umask is missing from the getfacl output. I bet that was what was somehow setting the group permissions to read / write.

**Spork Schivago** · 12-10-2016, 11:42 PM

Re: Trouble with Linux ACLs

Another way to do what I'd want would be to set the umask, however, on certain systems with certain setups, this might be a bad idea.

The umask is just kinda like the inverse of the file permissions you set with chmod.

For example, a umask of 022 would be a chmod of 755, or owner has RWX, group has RX, and other has RX. On the Linux system's I've played with, you can set the umask globally in /etc/profile.

On my CentOS system, I had originally set the umask so files, by default, would be created with the 660 permissions (owner had RW, group had RW but other had no access). Directories always had the X bit set, otherwise, you get weird errors on CentOS. Anyway, cPanel depends on a normal umask, which is kind of stupid, if you ask me. What's the sense in having a umask if you can't change it? I think the cPanel scripts should be setting the umask before they run, if the umask matters. Anyway, because of this, I couldn't change the umask without breaking my system. The ACL works fine though.

Trouble with Linux ACLs

Trouble with Linux ACLs

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Related Topics