Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny
access to group2
first, then grant
access to group1
-- but that would rely on the order of the ACLs
; extremely fragile. Not recommended.
Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:
drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/
If you use an administrator user account, you can of course replace the root
directory grants traverse rights to everybody except group2
, then lower
grants access to group1
You can add further excluded groups to upper
in ACLs, and further access grants to lower
It is important that you don't grant anybody write access to upper
, so that the access mode for lower
stays intact. This is easiest if you keep upper
otherwise empty, and only grant the traverse access. Remember, everybody
except the denied users and groups have access to upper
In most cases, you can of course symlink /somedirectory
. The kernel will internally always traverse the two directories and apply the necessary access tests.
Hope this helps,