Issue with ACL's on RHEL 6
 

Hi Experts,,,

Need your help/advice on how to fix this

I have 2 users under same group (primary group) and i want to give 777 permissions on a directory to one dir owned by user1 when granted i can see than from getfacl but when i actually login as user2 i can touch a file .

=====================================================================
--Logged as euser
$ id euser
uid=54325(euser) gid=54323(grpi) groups=54323(grpi)

$ ls -ld logs
drwxr-xr-x 2 euser grpi 4096 Sep 21 00:17 logs ## Logs dir has 755 permissions

$ setfacl -m d:u:guser:rwx,d:m:rwx logs ## Want to set ACL only to user -> guser (777)

$ ls -ld logs
drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs

$ getfacl logs
# file: logs
# owner: euser
# group: grpi
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:guser:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

--Logged as guser

$ id guser
uid=54324(guser) gid=54323(grpi) groups=54323(grpi),54322(grpa)

$ ls -ld logs/
drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs/

$ touch a
touch: cannot touch `a': Permission denied

===================================================================
Also to note when i make ACL's i dont want to see 775 becuase if it shows 775 then ther is no meaning to ACL

Please help.

Any replies experts...

Hi:

I'm not an expert but I have been running Red Hat based distributions for about 3 years.

Are you basically saying that you want to give user2 permissions on a directory that user1 is the owner of?

If so; your on the right track. Using the chmod utility is the preferred practice.

Permissions can be a tad confusing until you get a real good understanding of it.
Take a look at these links; they should help.

http://help.hardhathosting.com/question.php/101
http://linuxcommand.org/lts0070.php

As far as the ACL there are 2 kinds of rules, 'access' rules and 'default' rules.
These rules are access information for a single file or directory.
I'm pretty sure that a default ACL pertains to one directory only.

I have never changed the ACL so it's best to wait for a member that knows how on that.

I highly recommend this book.
"A Practical Guide to Fedora and Red Hat Enterprise Linux" (7th Edition)
http://www.amazon.com/Practical-Guid.../dp/0133477436

The 6th Edition is here in PDF form-
http://gegeek.com/documents/eBooks/A...%20Edition.pdf

As per our protocal we are not allowed to use 775 (for audit purpose) so is the reason we want to give user2 777 permissions on dir owned by user1. So is the reason want to take use of ACL.

before ACL its 755 and after ACL i want it to be 755+ (internally that should allow user2 to read/write/exec on that dir.)

Thats all my intention.

Understood-


The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:

https://access.redhat.com/documentat...s-setting.html

https://access.redhat.com/documentat...e/ch-acls.html

I don't have experience with using the utilities that come with the ACL package, sorry.

Hope the links are helpful:-

am i missing anything on ACL

this might sound stupid, but are you sure file 'a' does not already exist? Because I can't see any problems in the ACL..

Ohh, yeah.. And have you cd-ed into the directory before running touch (since from what you've shown us, you didn't)... Again, since I can't see any problems in the ACL I'm looking for simple mistakes (god knows we all do them)

Ohh, yeah.. You have defaults set, but not effective permissions.. Run this:

LE: I've made a correction from m:rwx to m::rwx... Sorry if you read before the edit..

Thanks mates for reply.
$ pwd
/opt/euser/logs

$ ls -ltra a
ls: cannot access a: No such file or directory

so no file does exits before && I have CD'd to that Location.

Please let me know.

See my third post :P (*blush*)..

Hi Smokey_justme,

If I do this .... setfacl -m u:guser:rwx,m:rwx log my permissions are changing to 775 which doesnot make any sense to set ACL because ACL will internally make 775 but it openly shows permissions

$ setfacl -m u:guser:rwx,m:rwx logs/
$ ls -ld dummy/
drwxrwxr-x+ 2 edbcon dsm 96 Sep 29 10:27 dummy/


--- instead of strugling with ACL i can easily do 775 then what is the benefit of ACL and as said our protocal is not to give 775 manually. So we want to use ACL so that it shows 755 but the user should be able to write. So is the reason am struggling.

Nope... Your current permissions:
say that any new file created after these permissions were applied get 644 plus guser gets 6 (rwx) (and mask is set to 6 -- rwx-- to allow this).. So guser is able to edit those any new file by default, no matter who owns them... However, he does not have effective write permissions in the directory.. So he cannot add or remove (unlink) files in that directory..

Running my commands will do nothing but allow the user "guser" to add or remove files from the directory (mask is not an effective permission) and will not modify your normal 755 permission.

Basically, right now you can have euser touch a file.. and then see how guser can modify it by default (even if the file will still have no-write for group and other).. However guser cannot write to the directory, so he can't add or remove any files..

P.S. It seems the 'ls' output is confusing.. However, the directory is still 755:

Hi Smokey just tried. Hopefully you got my concenr.

$ ls -ld logs/
drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/

$ setfacl -b logs/

--This is Original
$ ls -ld logs
drwxr-xr-x 2 euser grpi 96 Sep 29 10:30 logs/

$ setfacl -m u:guser:rwx,m::rwx logs/

$ ls -ld logs/
drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/ #<<<< It Shows as 775 my question is what is the benefit am getting with ACL and i can get this with chmod 775

$ getfacl logs/
# file: logs/
# owner: euser
# group: grpi
user::rwx
user:guser:rwx
group::r-x
mask::rwx
other::r-x

All i want is it should look like 755 but guser should be able to touch/edit/delete anything in logs directory owned by euser.

i thought ACL can help me here but no luck.