Unable to setup ACL during mount for CentOS 7 virtual machine

fanoflq · 09-15-2016, 12:06 AM

Unable to setup ACL during mount for CentOS 7
virtual machine.

Here is fstab configurations.
Note acl option for /dev/mapper/centos-root.

Code:

[user1@localhost ~]$ cat /etc/fstab

#
# /etc/fstab
# Created by anaconda on Fri Aug 12 15:05:22 2016
#
# Accessible filesystems, by reference, are maintained under '/dev/disk'
# See man pages fstab(5), findfs(8), mount(8) and/or blkid(8) for more info
#
/dev/mapper/centos-root /                       xfs     defaults,acl        0 0
UUID=ada31c1f-5e7b-4e1f-bfbe-916806530dbc /boot                   xfs     defaults        0 0
/dev/mapper/centos-swap swap                    swap    defaults        0 0

But when I looked at mounted devices, there is no acl enabled for
/dev/mapper/centos-root.

Code:

[user1@localhost ~]$ mount | grep centos
/dev/mapper/centos-root on / type xfs (rw,relatime,seclabel,attr2,inode64,noquota)

What did I missed?
Thank you.

jpollard · 09-15-2016, 08:13 AM

ACLs tend not to be put on the root filesystem as they frequently conflict with what the system requires. I believe this is because the base system distribution is more than sufficient (owner/group/world, along with setuid/setgid settings on files).

Filesystems mounted on the root filesystem can/do have ACLs.

The other issue is that root gets mounted before the fstab file is even looked at (or even accessable) during the initial setup by the initrd/ramfs, thus root gets skipped while processing the fstab.

One last thing - ACLs are most usable by the users that give access to files not owned by the system (accidents are easy to make granting improper privileges for root).

fanoflq · 09-15-2016, 08:59 AM

@jpollard:

Quote:

The other issue is that root gets mounted before the fstab file is even looked at (or even accessable) during the initial setup by the initrd/ramfs, thus root gets skipped while processing the fstab.

In this VM and in many installations, the entire OS is on one partition, e.g. sda6, and is thus mounted under /.
So adding ACL is not possible, correct?

How would you add ACL to /home directory in this scenario?

jpollard · 09-15-2016, 01:04 PM

Quote:

Originally Posted by fanoflq

@jpollard:

In this VM and in many installations, the entire OS is on one partition, e.g. sda6, and is thus mounted under /.
So adding ACL is not possible, correct?

How would you add ACL to /home directory in this scenario?

I don't think you can.

The way I added it was to partition the virtual disk during installation (normally CentOS will partition it into two parts, possibly three - one for swap, one for /boot, and one for the root (/boot would still be ext4, but that depends on whether xfs is now supported by grub2 - and this is what Fedora 24 is doing). Adding an extra partition for /home would allow you to add ACLs for local use. You can use an NFS mount for /home, and use NFS ACLs though.

fanoflq · 09-15-2016, 02:01 PM

Quote:

You can use an NFS mount for /home, and use NFS ACLs though.

I am not familiar with NFS mount.
Do not even know where to start since I am learning Linux.
When I installed CentOS 7 image, I was using its default setup.

Can you point me to such NFS installation guide?
Thank you.
-----------------------------

I removed the acl option I added in fstab.
Then reboot....

It turn out ACL is already enabled in the standard install for CentOS 7 because I tried using getfacl and setfaccl, and they did not return errors.

I do not have any idea how it was done since it does not show up in mount command output or fstab.
But i ran into this problem.....

Can you take a look at this:
"unable to access directory after enabling access via setfacl "
http://www.linuxquestions.org/questi...40#post5605740

Thank you.

jpollard · 09-15-2016, 02:33 PM

CentOS 7 is a repackaging of RHEL 7. You can see the RH documetation at

https://access.redhat.com/documentat...verconfig.html

for servers, and look through the index for client use of NFS.

Different question, different problem.

That "c1" user does not have access to the /test directory (it is owned by a1, and likely c1 is not a member of the group gp1 - thus only world access applies, and the directory doesn't allow world access).

fanoflq · 09-15-2016, 03:04 PM

@jpollard :

I enabled read access permission
on directory /test for others.
Got same denied access warning when user c1
tries to list /test.

http://www.linuxquestions.org/questi...3/#post5605740

Thank you for your time.

jpollard · 09-15-2016, 04:04 PM

c1 cannot search the directory...

fanoflq · 09-15-2016, 07:36 PM

Quote:

c1 cannot search the directory...

I thought a read permission in /test ACL for c1 would mean c1 can read /test.
So I am totally lost here.

Addendum:
What permission(s) or settings is preventing c1 from
reading content of /test?

jpollard · 09-16-2016, 06:31 AM

Normally for a user to be able to do anything, they must be able to read. But all this does is allow the user to see the file names.

But to do anything else you need the search - the "x" when applied to directories. This also happens to affect the user trying to use "cd", as when the working directory is set the kernel will attempt to cache the directory for speed - and it isn't allowed to.

http://www.greenend.org.uk/rjk/tech/perms.html
http://unix.stackexchange.com/questi...-in-linux-work

fanoflq · 09-16-2016, 08:32 AM

@jpollard:

Thanks.