LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 03-18-2012, 08:09 PM   #1
gezley
Senior Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware64, Crux64, NetBSD64
Posts: 1,064

Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
ACL permissions on subdirectory


Hi

I'm not quite a newbie with regard to Linux but I am a total newbie with regard to ACLs. That's why I have posted this thread here. Hope it's appropriate.

I have /dev/sdb5 mounted at /data, with standard Linux permissions 770. I can't set a umask as the filesystem is XFS.

How would I use ACLs to give rwx rights to the user "demo" on the /data/test subdirectory, without allowing that user to traverse /data ?
 
Old 03-19-2012, 01:04 AM   #2
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
What do you mean when you say "without allowing that user to traverse /data"?
He will naturally need to have execute access to /data.

Something like
setfacl -m -u:demo:rwx /data/test
should satisfy the permitted access.


Cheers,
Tink
 
Old 03-19-2012, 03:53 PM   #3
gezley
Senior Member
 
Registered: Sep 2009
Location: Ireland
Distribution: Slackware64, Crux64, NetBSD64
Posts: 1,064

Original Poster
Rep: Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644Reputation: 644
Quote:
Originally Posted by Tinkster View Post
What do you mean when you say "without allowing that user to traverse /data"?
He will naturally need to have execute access to /data.
This is what I don't understand. I was under the impression ACLs allowed for more fine-grained control than that. You're saying I would need to chmod a+rx /data first, and only then apply ACLs to subdirectories under that? This of course leaves /data wide open to public perusal, which is hardly optimal.

I forgot to add that the owner:group of /data in my test setup is gerard.gerard.
 
Old 03-19-2012, 04:54 PM   #4
Satyaveer Arya
Senior Member
 
Registered: May 2010
Location: Palm Island
Distribution: RHEL, CentOS, Debian, Oracle Solaris 10
Posts: 1,415

Rep: Reputation: 305Reputation: 305Reputation: 305Reputation: 305
For a good understanding on ACLs you can go through this guide: http://www.suse.de/~agruen/acl/chapter/fs_acl-en.pdf
 
1 members found this post helpful.
Old 03-19-2012, 05:37 PM   #5
Tinkster
Moderator
 
Registered: Apr 2002
Location: in a fallen world
Distribution: slackware by choice, others too :} ... android.
Posts: 23,066
Blog Entries: 11

Rep: Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910Reputation: 910
Quote:
Originally Posted by gezley View Post
This is what I don't understand. I was under the impression ACLs allowed for more fine-grained control than that. You're saying I would need to chmod a+rx /data first, and only then apply ACLs to subdirectories under that? This of course leaves /data wide open to public perusal, which is hardly optimal.
No, I didn't say that. All I say is that the user who needs more access to a
directory on a deeper level will need to at least have execute permissions on
that directory's parent(s). How you achieve that is up to you; a chmod a+rx
sounds like a bad idea.



Cheers,
Tink
 
Old 03-19-2012, 06:59 PM   #6
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,240

Rep: Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324Reputation: 2324
As Tinkster said, the user needs to traverse /data to reach test dir.
You could put another acl on the dir /data to only allow demo in addition to the usual owner.

You need to mentally approach perms inc acls as starting with no access and then gradually/selectively opening the target up via perms or acls or both.
In other words, you don't restrict people from access, you start with none & then you provide (limited) access (which may be none); it's the other side of the coin
HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
acl permissions problem ramesh14 Linux - Software 5 03-12-2010 07:31 AM
permissions and acl zhjim Linux - Newbie 2 11-18-2009 08:02 AM
Where are ACL permissions saved? armandino Linux - Security 6 07-06-2007 12:46 AM
Samba subdirectory permissions darthfoolish Linux - Networking 3 11-23-2006 03:22 PM
acl permissions linuxtesting2 Linux - General 0 10-25-2004 03:18 PM


All times are GMT -5. The time now is 08:47 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration