LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 04-17-2014, 03:16 PM   #1
linuxmantra
Member
 
Registered: Dec 2013
Posts: 111

Rep: Reputation: Disabled
Grant user to read only permission


I have a user "tom", I want to give read only access to tom for /opt/app.But, for other users there should not be any change. How can I do this in redhat?

root@server:# ll /opt/
drwxr-xr-x 3 root root 4096 Apr 17 12:41 app

Last edited by linuxmantra; 04-17-2014 at 03:31 PM.
 
Old 04-17-2014, 07:25 PM   #2
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,889

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
You would probably need to set up ACL (access control list). There is a lengthy discussion on this topic on the RedHad Customer Portal, which begins here.
 
Old 04-17-2014, 07:25 PM   #3
Tadaen
Member
 
Registered: Sep 2005
Distribution: Arch
Posts: 210

Rep: Reputation: 39
Can change /opt/app to root:tom and chmod 740 /opt/app.

This only works if /opt is static, I don't know if it is as I've never considered doing anything with it.

Last edited by Tadaen; 04-17-2014 at 07:28 PM.
 
Old 04-17-2014, 07:28 PM   #4
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,655
Blog Entries: 10

Rep: Reputation: Disabled
I looked in the Practical Guide to Fedora & Red Hat Enterprise Linux 6th edition. Page 203
The 7th isn't online in PDF form yet, least I didn't find it-

You use chmod to execute permission for all users and chmod to-rwx to remove all permissions for all but the owner.

Code:
777 Owner, group, and others can read, write, and execute file
755 Owner can read, write, and execute file; group and others can read and execute
file
711 Owner can read, write, and execute file; group and others can execute file
644 Owner can read and write file; group and others can read file
640 Owner can read and write file, group can read file, and others cannot
access file
Here's the example in the book. The link to the book is at the end of the example; hope it helps.
Code:
Symbolic Arguments to chmod
The following example, which uses symbolic arguments to chmod , adds (+) read and
write permissions (rw) for all (a) users:
$ ls -l letter.0210
-rw-r-----. 1 sam pubs 6193 02-10 14:22 letter.0210
$ chmod a+rw letter.0210
$ ls -l letter.0210
-rw-rw-rw-. 1 sam pubs 6193 02-10 14:22 letter.0210
http://it-ebooks.info/book/1442/
 
Old 04-17-2014, 07:35 PM   #5
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,655
Blog Entries: 10

Rep: Reputation: Disabled
There are 2 kinds of rules for the ACl. Access rules and default rules. These rules are access information for a single file or directory. A default ACL pertains to a directory only.

To enable ACL you will have to edit the /etc/fstab file.
After changing the fstab file you will need to remount /home before you can use ACL.
 
Old 04-18-2014, 08:15 AM   #6
linuxmantra
Member
 
Registered: Dec 2013
Posts: 111

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ztcoracat View Post
There are 2 kinds of rules for the ACl. Access rules and default rules. These rules are access information for a single file or directory. A default ACL pertains to a directory only.

To enable ACL you will have to edit the /etc/fstab file.
After changing the fstab file you will need to remount /home before you can use ACL.
I tried with ACL and it works, but I did not made any entry in /etc/fstab. All I did is:

#setfacl -m u:tom:r /opt/app
#getfacl /opt/app

getfacl: Removing leading '/' from absolute path names
# file: opt/app
# owner: root
# group: root
user::rwx
user:tom:r--
group::r-x
mask::r-x

I logged in as tom:
#su - tom
tom@server~$ cd /opt/app
-bash: cd: /opt/app: Permission denied

This what I got. so , permission denied means it worked properly? I checked for other users they can access /opt/app. Further, I logged in as root
root@server~$ll /opt
drwxr-xr-x+ 4 root root 4096 Feb 19 14:46 app

+ sign here shows that ACL is set. I did not make any entry in /etc/fstab. I even tried in my VM box, I did exactly the same thing in my VM box, restarted my server to see will there be any effect for not making an entry in /etc/fstab. There was not any effect. every thing worked fine. Why do we need entry in /etc/fstab???

Last edited by linuxmantra; 04-18-2014 at 08:16 AM.
 
Old 04-18-2014, 08:19 AM   #7
linuxmantra
Member
 
Registered: Dec 2013
Posts: 111

Original Poster
Rep: Reputation: Disabled
Quote:
Originally Posted by Ztcoracat View Post
I looked in the Practical Guide to Fedora & Red Hat Enterprise Linux 6th edition. Page 203
The 7th isn't online in PDF form yet, least I didn't find it-

You use chmod to execute permission for all users and chmod to-rwx to remove all permissions for all but the owner.

Code:
777 Owner, group, and others can read, write, and execute file
755 Owner can read, write, and execute file; group and others can read and execute
file
711 Owner can read, write, and execute file; group and others can execute file
644 Owner can read and write file; group and others can read file
640 Owner can read and write file, group can read file, and others cannot
access file
Here's the example in the book. The link to the book is at the end of the example; hope it helps.
Code:
Symbolic Arguments to chmod
The following example, which uses symbolic arguments to chmod , adds (+) read and
write permissions (rw) for all (a) users:
$ ls -l letter.0210
-rw-r-----. 1 sam pubs 6193 02-10 14:22 letter.0210
$ chmod a+rw letter.0210
$ ls -l letter.0210
-rw-rw-rw-. 1 sam pubs 6193 02-10 14:22 letter.0210
http://it-ebooks.info/book/1442/
Chmod does not work in this case because we don't want any of the file permission and ownership to be changed. Let suppose if you change the permission for others as r-- (read only) then it gonna effect to all other users. its ACL that works in this case.
 
Old 04-18-2014, 12:26 PM   #8
bigrigdriver
LQ Addict
 
Registered: Jul 2002
Location: East Centra Illinois, USA
Distribution: Debian stable
Posts: 5,889

Rep: Reputation: 351Reputation: 351Reputation: 351Reputation: 351
Code:
All I did is:

 #setfacl -m u:tom:r /opt/app
 #getfacl /opt/app

 getfacl: Removing leading '/' from absolute path names
 # file: opt/app
 # owner: root
 # group: root
 user::rwx
 user:tom:r--
 group::r-x
 mask::r-x

 I logged in as tom:
 #su - tom
 tom@server~$ cd /opt/app
 -bash: cd: /opt/app: Permission denied
Reboot. Does your solution still work?

I suspect that it only works in the currently running session, and that it will not work on reboot.

You will need to edit /etc/fstab to mount partitions with ACL enabled for the solution to be permanent.
 
Old 04-19-2014, 07:09 PM   #9
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,655
Blog Entries: 10

Rep: Reputation: Disabled
I went over my notes from the book and it says to enable ACL edit the /etc/fstab file.
$ grep home /etc/fstab
LABEL= /home /home ext4 defaults.acl

After changing fstab you need to remount /home before you can use ACL. (didn't know that the other day; sorry)

Code:
getfaci displays a file's access control list.
setfacl modifies a files access control list
Chapter 20. Access Control Lists
https://access.redhat.com/site/docum...e/ch-acls.html
 
Old 04-20-2014, 09:34 PM   #10
linuxmantra
Member
 
Registered: Dec 2013
Posts: 111

Original Poster
Rep: Reputation: Disabled
+bigrigdriver

Yes ACL worked with out any entry in /etc/fstab. And I rebooted the machine, and checked to confirm the ACL for designated for i.e /opt/app using getfacl it was still the same and no change even after reboot.
 
Old 04-20-2014, 09:42 PM   #11
linuxmantra
Member
 
Registered: Dec 2013
Posts: 111

Original Poster
Rep: Reputation: Disabled
If it is explicitly said in working task (ticket) that READ only access for the user 'tom' means just providing r-- permission to access the folder /opt/app, right?? I am little bit confused in one thing, does READ only also need to be accompanied by execute (x). I mean
# setfacl -m u:tom:rx /opt/app/

Because my ticket task is to provide read only access for the user 'tom' to /opt/app.

Last edited by linuxmantra; 04-21-2014 at 07:45 AM.
 
Old 04-22-2014, 12:15 AM   #12
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,655
Blog Entries: 10

Rep: Reputation: Disabled
The Red Hat Chapter does say that....

Code:
Permissions (perms) must be a combination of the characters r, w, and x for read, write, and execute.
Since Read only access is desired than set it to u:tom:r-- "read only) setfacl -m u:tom:r-- /opt/app/

The examples in the Practical Guide to Fedora and Red Hat Enterprise Linux use "r--" for read only.
The only page that "rx" was used was where the default was being set for the ACL and other users- In this example:
Code:
 setfacl -m d:o:rx /share

Last edited by Ztcoracat; 04-22-2014 at 12:18 AM.
 
Old 04-22-2014, 06:26 AM   #13
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.9, Centos 7.3
Posts: 17,374

Rep: Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383Reputation: 2383
For a dir. 'x' enables you to search in the dir, effectively a read operation. you read up on the differences for 'x' between files and dirs.

Re ACLs etc
Quote:
With Red Hat Enterprise Linux 5, acl is set as a default mount option by the installer. Rather than placing an acl entry in
/etc/fstab for each partition, the installer sets the option in the ext3 superblock. The ext3 superblock can
be viewed with either the dumpe2fs or tune2fs -l.
The ACL option is set in the Default mount options field.

tune2fs -l /dev/sda1 | grep options

Default mount options: user_xattr acl
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Grant permission to user on MySQL tranphat Linux - Security 2 03-12-2014 11:17 PM
How to grant permission to mount ntfs file system for normal user m.parthiban Fedora 3 02-21-2010 09:17 AM
How to grant users mount permission dreakon Linux - Newbie 4 06-13-2006 08:07 PM
User with read-only permission for whole filesystem? stug Linux - General 1 04-12-2006 04:45 PM
Grant permission to run server - how? yrozijn Linux - Newbie 2 03-25-2005 04:29 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 03:49 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration