LinuxQuestions.org
Welcome to the most active Linux Forum on the web.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices

Reply
 
Search this Thread
Old 07-08-2008, 07:49 AM   #1
le_forban
LQ Newbie
 
Registered: Jan 2008
Location: Brittany, France
Distribution: RHEL4&5
Posts: 7

Rep: Reputation: Disabled
Exclamation ACL effective permissions problem on file copies


Hello everybody, I'm in a bit of trouble here, let me explain:

directory /var/test:

drwx------+ 3 testuser testgroup 4096 Jul 8 07:56 test

/var/test is a mountpoint for an LVM volume mounted with the acl option:

/dev/mapper/testvg-testvol on /var/test type ext3 (rw,acl)

I want testuser:testgroup to be able to read and write files in this directory and its subdirectories. I also want another user, amanda:disk, to have the same read/write permissions to backup and restore said files and directories. I don't want any other user to have access to those files, not even a read privilege. Of course root can.

I figured I could use the ACLs to solve this problem and tried the following:

setfacl --set u::rwx,u:amanda:rwx,g::-,o::-,m:rwx /var/test
setfacl -d --set u::rwx,u:amanda:rwx,g::-,o::-,m:rwx /var/test

While this works fine for the files that testuser creates in /var/vms:

-bash-3.2$ touch /var/test/testfile
-bash-3.2$ getfacl /var/test/testfile
getfacl: Removing leading '/' from absolute path names
# file: var/test/testfile
# owner: testuser
# group: testgroup
user::rw-
user:amanda:rwx #effective:rw-
group::---
mask::rw-
other::---

It doesn't work for files created by testuser in another directory such as /tmp and copied to /var/test:

-bash-3.2$ touch /tmp/testfile2
-bash-3.2$ ls -l /tmp/testfile2
-rw-r--r-- 1 testuser testgroup 0 Jul 8 08:07 /tmp/testfile2
-bash-3.2$ getfacl /tmp/testfile2
getfacl: Removing leading '/' from absolute path names
# file: tmp/testfile2
# owner: testuser
# group: testgroup
user::rw-
group::r--
other::r--

-bash-3.2$ cp /tmp/testfile2 /var/test
-bash-3.2$ ls -l /var/test/testfile2
-rw-r-----+ 1 testuser testgroup 0 Jul 8 08:07 /var/test/testfile2
-bash-3.2$ getfacl /var/test/testfile2
getfacl: Removing leading '/' from absolute path names
# file: var/test/testfile2
# owner: testuser
# group: testgroup
user::rw-
user:amanda:rwx #effective:r--
group::---
mask::r--
other::---

In this case, the effective rights of the amanda user are sufficient to backup this file but insufficient to restore it, oops...

Please, could you point me in the right direction because I am kind of stuck here... Thank you all very much

Richard
 
Old 07-09-2008, 07:33 AM   #2
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
Sorry you haven't gotten an answer on the acls. I don't have a comparable system to yours to play around and see how it works, but I can tell you that moving and copying files from one place to another is the most likely situation where things might not work as you would like. I've repeatedly had that problem with Samba shares and Windows users (one person uploads a file via Samba, another who has shell access on the server moves the file into a location that should be public for that group and finds that group privileges are not correct).

On the other hand, I believe you have to be root to run amrecover, since that puts you in the position of accessing the tapes on the backup server and allows you to see everything as well as recover anything. Backup and Recovery typically has to be able to access everything, regardless of permissions. You might want to review your install of Amanda, or, if it's a system someone else installed, review the user documentation: http://wiki.zmanda.com/index.php/User_documentation.
 
Old 07-09-2008, 07:46 AM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You need to use the "-a" option to cp to copy the acls. Also, the filesystem you backup the files to needs to also support acls and be mounted with the acl option.

As an aside, you can use the "star" program to backup files including acls, attributes and file attributes (setfacl, chattr, setfattr). My version of tar will not do this, but some versions have an -acl option. You could download that version & compile it.

You had the right idea to test your backups & restore before going with it. If you use tar or star do the same thing.

Last edited by jschiwal; 07-09-2008 at 07:49 AM.
 
Old 07-09-2008, 08:43 AM   #4
le_forban
LQ Newbie
 
Registered: Jan 2008
Location: Brittany, France
Distribution: RHEL4&5
Posts: 7

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by choogendyk View Post
...On the other hand, I believe you have to be root to run amrecover, since that puts you in the position of accessing the tapes on the backup server and allows you to see everything as well as recover anything. Backup and Recovery typically has to be able to access everything, regardless of permissions. ...
Absolutely correct and so obvious I didn't see it, my mistake. the "r" permission is sufficient for amanda in that case. Tested Ok on my system.

Quote:
Originally Posted by jschiwal
You need to use the "-a" option to cp to copy the acls. Also, the filesystem you backup the files to needs to also support acls and be mounted with the acl option....
Yes but unfortunately I don't know the source directory beforehand and they don't all use ACLs so if I copy with -a a file that does not come from an ACL-enabled directory, the default ACLs won't even apply.

What I noticed is that the ACL mask really relies on the "group" rights. if a chmod g something is applied to the file, it will affect the mask of the ACL.

Thank you both for these precious bits of information, It'll do just fine.
 
Old 07-09-2008, 07:57 PM   #5
choogendyk
Senior Member
 
Registered: Aug 2007
Location: Massachusetts, USA
Distribution: Solaris 9 & 10, Mac OS X, Ubuntu Server
Posts: 1,189

Rep: Reputation: 105Reputation: 105
Quote:
Originally Posted by jschiwal View Post
As an aside, you can use the "star" program to backup files including acls, attributes and file attributes (setfacl, chattr, setfattr). My version of tar will not do this, but some versions have an -acl option. You could download that version & compile it.

You had the right idea to test your backups & restore before going with it. If you use tar or star do the same thing.
yup. You need to know the version of tar you are using. `tar --version` will tell you, and on some of my systems this will respond that it is gnutar. Gnutar will do acls.

You can also download and install gnutar, if your tar is inadequate. Amanda recommends gnutar. Just make sure Amanda knows where it is -- either install it in the same location tar was in when you configured Amanda, or you may need to reconfigure Amanda.
 
  


Reply

Tags
acl, permissions


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Default ACL and permissions inheritance mikemrh9 Linux - Security 4 02-18-2014 11:57 AM
ACl access permissions pramka Suse/Novell 2 04-17-2008 12:24 PM
Where are ACL permissions saved? armandino Linux - Security 6 07-05-2007 11:46 PM
acl permissions linuxtesting2 Linux - General 0 10-25-2004 02:18 PM
default files and folder acl permissions Baltasar Fedora 4 08-30-2004 12:50 PM


All times are GMT -5. The time now is 05:22 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration