LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 09-26-2014, 10:15 PM   #1
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Rep: Reputation: 0
Issue with ACL's on RHEL 6


Hi Experts,,,

Need your help/advice on how to fix this

I have 2 users under same group (primary group) and i want to give 777 permissions on a directory to one dir owned by user1 when granted i can see than from getfacl but when i actually login as user2 i can touch a file .

=====================================================================
--Logged as euser
$ id euser
uid=54325(euser) gid=54323(grpi) groups=54323(grpi)

$ ls -ld logs
drwxr-xr-x 2 euser grpi 4096 Sep 21 00:17 logs ## Logs dir has 755 permissions

$ setfacl -m d:u:guser:rwx,d:m:rwx logs ## Want to set ACL only to user -> guser (777)

$ ls -ld logs
drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs

$ getfacl logs
# file: logs
# owner: euser
# group: grpi
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:guser:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

--Logged as guser

$ id guser
uid=54324(guser) gid=54323(grpi) groups=54323(grpi),54322(grpa)

$ ls -ld logs/
drwxr-xr-x+ 2 euser grpi 4096 Sep 21 00:17 logs/

$ touch a
touch: cannot touch `a': Permission denied

===================================================================
Also to note when i make ACL's i dont want to see 775 becuase if it shows 775 then ther is no meaning to ACL

Please help.
 
Old 09-26-2014, 10:47 PM   #2
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
Any replies experts...
 
Old 09-27-2014, 01:30 AM   #3
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,873
Blog Entries: 10

Rep: Reputation: Disabled
Hi:

I'm not an expert but I have been running Red Hat based distributions for about 3 years.

Are you basically saying that you want to give user2 permissions on a directory that user1 is the owner of?

If so; your on the right track. Using the chmod utility is the preferred practice.

Permissions can be a tad confusing until you get a real good understanding of it.
Take a look at these links; they should help.

http://help.hardhathosting.com/question.php/101
http://linuxcommand.org/lts0070.php

As far as the ACL there are 2 kinds of rules, 'access' rules and 'default' rules.
These rules are access information for a single file or directory.
I'm pretty sure that a default ACL pertains to one directory only.

I have never changed the ACL so it's best to wait for a member that knows how on that.
 
Old 09-27-2014, 01:38 AM   #4
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,873
Blog Entries: 10

Rep: Reputation: Disabled
I highly recommend this book.
"A Practical Guide to Fedora and Red Hat Enterprise Linux" (7th Edition)
http://www.amazon.com/Practical-Guid.../dp/0133477436

The 6th Edition is here in PDF form-
http://gegeek.com/documents/eBooks/A...%20Edition.pdf
 
Old 09-27-2014, 09:07 AM   #5
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
As per our protocal we are not allowed to use 775 (for audit purpose) so is the reason we want to give user2 777 permissions on dir owned by user1. So is the reason want to take use of ACL.

before ACL its 755 and after ACL i want it to be 755+ (internally that should allow user2 to read/write/exec on that dir.)

Thats all my intention.
 
Old 09-27-2014, 01:42 PM   #6
Ztcoracat
LQ Guru
 
Registered: Dec 2011
Distribution: Slackware
Posts: 7,873
Blog Entries: 10

Rep: Reputation: Disabled
Quote:
Originally Posted by maddyfreaks View Post
As per our protocal we are not allowed to use 775 (for audit purpose) so is the reason we want to give user2 777 permissions on dir owned by user1. So is the reason want to take use of ACL.

before ACL its 755 and after ACL i want it to be 755+ (internally that should allow user2 to read/write/exec on that dir.)

Thats all my intention.
Understood-


The setfacl utility sets ACLs for files and directories. Use the -m option to add or modify the ACL of a file or directory:

Code:
setfacl -m rules files
https://access.redhat.com/documentat...s-setting.html

https://access.redhat.com/documentat...e/ch-acls.html

I don't have experience with using the utilities that come with the ACL package, sorry.

Hope the links are helpful:-
 
Old 09-29-2014, 10:03 AM   #7
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
am i missing anything on ACL
 
Old 09-29-2014, 10:18 AM   #8
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
this might sound stupid, but are you sure file 'a' does not already exist? Because I can't see any problems in the ACL..
 
Old 09-29-2014, 10:20 AM   #9
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Ohh, yeah.. And have you cd-ed into the directory before running touch (since from what you've shown us, you didn't)... Again, since I can't see any problems in the ACL I'm looking for simple mistakes (god knows we all do them)
 
Old 09-29-2014, 10:24 AM   #10
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Ohh, yeah.. You have defaults set, but not effective permissions.. Run this:

Code:
setfacl -m u:guser:rwx,m::rwx log
LE: I've made a correction from m:rwx to m::rwx... Sorry if you read before the edit..

Last edited by Smokey_justme; 09-29-2014 at 10:30 AM.
 
Old 09-29-2014, 10:27 AM   #11
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
Thanks mates for reply.
$ pwd
/opt/euser/logs

$ ls -ltra a
ls: cannot access a: No such file or directory

so no file does exits before && I have CD'd to that Location.

Please let me know.
 
Old 09-29-2014, 10:28 AM   #12
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
See my third post :P (*blush*)..
 
Old 09-29-2014, 10:33 AM   #13
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
Hi Smokey_justme,

If I do this .... setfacl -m u:guser:rwx,m:rwx log my permissions are changing to 775 which doesnot make any sense to set ACL because ACL will internally make 775 but it openly shows permissions

$ setfacl -m u:guser:rwx,m:rwx logs/
$ ls -ld dummy/
drwxrwxr-x+ 2 edbcon dsm 96 Sep 29 10:27 dummy/


--- instead of strugling with ACL i can easily do 775 then what is the benefit of ACL and as said our protocal is not to give 775 manually. So we want to use ACL so that it shows 755 but the user should be able to write. So is the reason am struggling.
 
Old 09-29-2014, 10:42 AM   #14
Smokey_justme
Member
 
Registered: Oct 2009
Distribution: Slackware
Posts: 534

Rep: Reputation: 203Reputation: 203Reputation: 203
Nope... Your current permissions:
Code:
$ getfacl logs
# file: logs
# owner: euser
# group: grpi
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:guser:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
say that any new file created after these permissions were applied get 644 plus guser gets 6 (rwx) (and mask is set to 6 -- rwx-- to allow this).. So guser is able to edit those any new file by default, no matter who owns them... However, he does not have effective write permissions in the directory.. So he cannot add or remove (unlink) files in that directory..

Running my commands will do nothing but allow the user "guser" to add or remove files from the directory (mask is not an effective permission) and will not modify your normal 755 permission.

Basically, right now you can have euser touch a file.. and then see how guser can modify it by default (even if the file will still have no-write for group and other).. However guser cannot write to the directory, so he can't add or remove any files..

P.S. It seems the 'ls' output is confusing.. However, the directory is still 755:
Code:
smokey@desk:/home$ getfacl log   
# file: log
# owner: smokey
# group: users
user::rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

smokey@desk:/home$ ls -ld log
drwxrwxr-x+ 1 smokey users 2 Sep 29 17:41 log

smokey@desk:/home$ sudo su test
test@desk:/home$ cd log
test@desk:/home/log$ touch b
test@desk:/home/log$ cd ..
test@desk:/home$ exit
exit
smokey@desk:/home$ sudo su test2
test2@desk:/home$ cd log
test2@desk:/home/log$ touch c
touch: cannot touch 'c': Permission denied

Last edited by Smokey_justme; 09-29-2014 at 11:46 AM.
 
Old 09-29-2014, 10:55 AM   #15
maddyfreaks
Member
 
Registered: May 2011
Posts: 74

Original Poster
Rep: Reputation: 0
Hi Smokey just tried. Hopefully you got my concenr.

$ ls -ld logs/
drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/

$ setfacl -b logs/

--This is Original
$ ls -ld logs
drwxr-xr-x 2 euser grpi 96 Sep 29 10:30 logs/

$ setfacl -m u:guser:rwx,m::rwx logs/

$ ls -ld logs/
drwxrwxr-x+ 2 euser grpi 96 Sep 29 10:30 logs/ #<<<< It Shows as 775 my question is what is the benefit am getting with ACL and i can get this with chmod 775

$ getfacl logs/
# file: logs/
# owner: euser
# group: grpi
user::rwx
user:guser:rwx
group::r-x
mask::rwx
other::r-x

All i want is it should look like 755 but guser should be able to touch/edit/delete anything in logs directory owned by euser.

i thought ACL can help me here but no luck.

Last edited by maddyfreaks; 09-29-2014 at 10:57 AM. Reason: corrected typo
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
How to remove access ACL set on 'others' in RHEL 6 P.B Linux - Newbie 11 07-23-2013 04:07 PM
[SOLVED] How to mount windows shared partitions and folder on rhel 6 with acl vikas637 Linux - Newbie 3 06-27-2011 09:05 AM
[SOLVED] Enable ACL in RHEL 5 yamujanu Linux - Security 2 05-26-2011 07:24 AM
ACL defaultmask issue leaded Linux - General 1 12-16-2009 08:18 AM
ACL problem? permission denied issue! teamgsi Linux - Enterprise 5 10-16-2009 06:47 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie

All times are GMT -5. The time now is 01:08 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration