Issue with ACL's on RHEL 6
Hi Experts,,,
Need your help/advice on how to fix this I have 2 users under same group (primary group) and i want to give 777 permissions on a directory to one dir owned by user1 when granted i can see than from getfacl but when i actually login as user2 i can touch a file . ===================================================================== --Logged as euser $ id euser uid=54325(euser) gid=54323(grpi) groups=54323(grpi) $ ls -ld logs drwxr-xr-x 2 euser grpi 4096 Sep 21 00:17 logs ## Logs dir has 755 permissions $ setfacl -m d:u:guser:rwx,d:m:rwx logs ## Want to set ACL only to user -> guser (777) $ ls -ld logs drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs $ getfacl logs # file: logs # owner: euser # group: grpi user::rwx group::r-x other::r-x default:user::rwx default:user:guser:rwx default:group::r-x default:mask::rwx default:other::r-x --Logged as guser $ id guser uid=54324(guser) gid=54323(grpi) groups=54323(grpi),54322(grpa) $ ls -ld logs/ drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs/ $ touch a touch: cannot touch `a': Permission denied =================================================================== Also to note when i make ACL's i dont want to see 775 becuase if it shows 775 then ther is no meaning to ACL Please help. |
Any replies experts...
|
Hi:
I'm not an expert but I have been running Red Hat based distributions for about 3 years. Are you basically saying that you want to give user2 permissions on a directory that user1 is the owner of? If so; your on the right track. Using the chmod utility is the preferred practice. Permissions can be a tad confusing until you get a real good understanding of it. Take a look at these links; they should help. http://help.hardhathosting.com/question.php/101 http://linuxcommand.org/lts0070.php As far as the ACL there are 2 kinds of rules, 'access' rules and 'default' rules. These rules are access information for a single file or directory. I'm pretty sure that a default ACL pertains to one directory only. I have never changed the ACL so it's best to wait for a member that knows how on that. |
I highly recommend this book.
"A Practical Guide to Fedora and Red Hat Enterprise Linux" (7th Edition) http://www.amazon.com/Practical-Guid.../dp/0133477436 The 6th Edition is here in PDF form- http://gegeek.com/documents/eBooks/A...%20Edition.pdf |
As per our protocal we are not allowed to use 775 (for audit purpose) so is the reason we want to give user2 777 permissions on dir owned by user1. So is the reason want to take use of ACL.
before ACL its 755 and after ACL i want it to be 755+ (internally that should allow user2 to read/write/exec on that dir.) Thats all my intention. |
Quote:
The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory: Code:
setfacl -m rules files https://access.redhat.com/documentat...e/ch-acls.html I don't have experience with using the utilities that come with the ACL package, sorry. Hope the links are helpful:- |
am i missing anything on ACL
|
this might sound stupid, but are you sure file 'a' does not already exist? Because I can't see any problems in the ACL..
|
Ohh, yeah.. And have you cd-ed into the directory before running touch (since from what you've shown us, you didn't)... Again, since I can't see any problems in the ACL I'm looking for simple mistakes (god knows we all do them)
|
Ohh, yeah.. You have defaults set, but not effective permissions.. Run this:
Code:
setfacl -m u:guser:rwx,m::rwx log |
Thanks mates for reply.
$ pwd /opt/euser/logs $ ls -ltra a ls: cannot access a: No such file or directory so no file does exits before && I have CD'd to that Location. Please let me know. |
See my third post :P (*blush*)..
|
Hi Smokey_justme,
If I do this .... setfacl -m u:guser:rwx,m:rwx log my permissions are changing to 775 which doesnot make any sense to set ACL because ACL will internally make 775 but it openly shows permissions $ setfacl -m u:guser:rwx,m:rwx logs/ $ ls -ld dummy/ drwxrwxr-x+ 2 edbcon dsm 96 Sep 29 10:27 dummy/ --- instead of strugling with ACL i can easily do 775 then what is the benefit of ACL and as said our protocal is not to give 775 manually. So we want to use ACL so that it shows 755 but the user should be able to write. So is the reason am struggling. |
Nope... Your current permissions:
Code:
$ getfacl logs Running my commands will do nothing but allow the user "guser" to add or remove files from the directory (mask is not an effective permission) and will not modify your normal 755 permission. Basically, right now you can have euser touch a file.. and then see how guser can modify it by default (even if the file will still have no-write for group and other).. However guser cannot write to the directory, so he can't add or remove any files.. P.S. It seems the 'ls' output is confusing.. However, the directory is still 755: Code:
smokey@desk:/home$ getfacl log |
Hi Smokey just tried. Hopefully you got my concenr.
$ ls -ld logs/ drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/ $ setfacl -b logs/ --This is Original $ ls -ld logs drwxr-xr-x 2 euser grpi 96 Sep 29 10:30 logs/ $ setfacl -m u:guser:rwx,m::rwx logs/ $ ls -ld logs/ drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/ #<<<< It Shows as 775 my question is what is the benefit am getting with ACL and i can get this with chmod 775 $ getfacl logs/ # file: logs/ # owner: euser # group: grpi user::rwx user:guser:rwx group::r-x mask::rwx other::r-x All i want is it should look like 755 but guser should be able to touch/edit/delete anything in logs directory owned by euser. i thought ACL can help me here but no luck. |
All times are GMT -5. The time now is 12:12 AM. |