deny permission in acl
Hi,
I want to grant users in a particular group (lets call it group1) access to some directory (let's call it /somedirectory) full control of the directory, unless the individual users are also in a group (lets call it group2). I have tried the following commands: Code:
setfacl -m g:group1:rwx,m:rwx /somedirectory Code:
setfacl -m g:group2:-,m:w /somedirectory However it would appear that I am using the wrong syntax for the 2nd command. The result from getfacl is: Code:
# file: somedirectory Thanks. |
this sounds like homework
that we will not help to much on that -- forum rules informing us as to the operating system will help also if SELinux or App-guard is used |
Quote:
I've tried googling how to use the command but it appears that however I have used it it always uses only the last mask I select. (Particulally from the #effective:-w- part in my first post.) Quote:
It's basically "out of the box" plus mono, apache, mysql, webmin and clamav. Quote:
Code:
libselinux1 2.0.94-1 SELinux runtime shared libraries |
Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny access to group2 first, then grant access to group1 -- but that would rely on the order of the ACLs; extremely fragile. Not recommended. Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus: If you use an administrator user account, you can of course replace the root above. upper directory grants traverse rights to everybody except group2, then lower grants access to group1. You can add further excluded groups to upper in ACLs, and further access grants to lower ACLs. It is important that you don't grant anybody write access to upper, so that the access mode for lower stays intact. This is easiest if you keep upper otherwise empty, and only grant the traverse access. Remember, everybody except the denied users and groups have access to upper. In most cases, you can of course symlink /somedirectory to /upper/lower . The kernel will internally always traverse the two directories and apply the necessary access tests. Hope this helps, Nominal Animal |
Quote:
This solution denies read access to those in both groups, which is not what I wanted. However, you lead me in the right direction and I managed to get it to work with these commands: Code:
mkdir /upper Michael. |
All times are GMT -5. The time now is 02:24 PM. |