LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 01-31-2011, 12:14 AM   #1
michael_f
LQ Newbie
 
Registered: Jan 2011
Posts: 4

Rep: Reputation: 0
deny permission in acl


Hi,

I want to grant users in a particular group (lets call it group1) access to some directory (let's call it /somedirectory) full control of the directory, unless the individual users are also in a group (lets call it group2).

I have tried the following commands:

Code:
setfacl -m g:group1:rwx,m:rwx /somedirectory
(To grant full control to users in group1, this on it's own seems to be working)

Code:
setfacl -m g:group2:-,m:w /somedirectory
(And then deny write access to users in group2)

However it would appear that I am using the wrong syntax for the 2nd command.

The result from getfacl is:

Code:
# file: somedirectory
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx           #effective:-w-
group:group2:---
mask::-w-
other::---
Can anyone help?

Thanks.
 
Old 01-31-2011, 02:23 AM   #2
John VV
Guru
 
Registered: Aug 2005
Posts: 12,669

Rep: Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683Reputation: 1683
this sounds like homework
that we will not help to much on that -- forum rules

informing us as to the operating system will help
also if SELinux or App-guard is used
 
Old 01-31-2011, 06:18 AM   #3
michael_f
LQ Newbie
 
Registered: Jan 2011
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
this sounds like homework
that we will not help to much on that -- forum rules
It's actually to setup file sharing for my grandparent's church's server. I'm really much more of a developer than a sys admin and very much new to *nix, so my apologies if the question is noobish.

I've tried googling how to use the command but it appears that however I have used it it always uses only the last mask I select. (Particulally from the #effective:-w- part in my first post.)

Quote:
informing us as to the operating system will help
I'm running Ubuntu Server 10.10 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux

It's basically "out of the box" plus mono, apache, mysql, webmin and clamav.

Quote:
also if SELinux or App-guard is used
I did not install or use either, it appears that SELinux is installed, at least the following two packages are:

Code:
libselinux1 2.0.94-1	SELinux runtime shared libraries
libsepol1 2.0.41-1	SELinux library for manipulating binary security policies
 
Old 01-31-2011, 06:58 AM   #4
Nominal Animal
Senior Member
 
Registered: Dec 2010
Location: Finland
Distribution: Xubuntu, CentOS, LFS
Posts: 1,723
Blog Entries: 3

Rep: Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942Reputation: 942
Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny access to group2 first, then grant access to group1 -- but that would rely on the order of the ACLs; extremely fragile. Not recommended.

Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:

drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/
If you use an administrator user account, you can of course replace the root above.
upper directory grants traverse rights to everybody except group2, then lower grants access to group1.
You can add further excluded groups to upper in ACLs, and further access grants to lower ACLs.

It is important that you don't grant anybody write access to upper, so that the access mode for lower stays intact. This is easiest if you keep upper otherwise empty, and only grant the traverse access. Remember, everybody except the denied users and groups have access to upper.

In most cases, you can of course symlink /somedirectory to /upper/lower . The kernel will internally always traverse the two directories and apply the necessary access tests.

Hope this helps,
Nominal Animal

Last edited by Nominal Animal; 03-21-2011 at 07:28 AM.
 
1 members found this post helpful.
Old 01-31-2011, 04:29 PM   #5
michael_f
LQ Newbie
 
Registered: Jan 2011
Posts: 4

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Nominal Animal View Post
Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny access to group2 first, then grant access to group1 -- but that would rely on the order of the ACLs; extremely fragile. Not recommended.

Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:

drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/
Hi,

This solution denies read access to those in both groups, which is not what I wanted.

However, you lead me in the right direction and I managed to get it to work with these commands:

Code:
mkdir /upper
chown :group1 /upper
chmod 710 /upper

mkdir /upper/lower
chown :group2 /upper/lower
chmod 757 /upper/lower
ln -s /upper/lower /somedirectory
Thanks! You've been a great help.

Michael.
 
  


Reply

Tags
acl, deny


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
[SOLVED] Squid3 Deny all traffic (Ignoring ACL) pliqui Linux - Server 3 02-18-2010 02:24 PM
ACL problem? permission denied issue! teamgsi Linux - Enterprise 5 10-16-2009 05:47 PM
cp permission deny rahilmaknojia Linux - Server 10 08-03-2008 03:08 AM
strange permission deny da lord Linux - Server 2 02-07-2008 03:14 AM
deny rm permission for non-owner of files AndrewBS42 Linux - Security 3 10-03-2007 01:53 AM


All times are GMT -5. The time now is 10:10 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration