Access Control List on a directory question

taylorkh · 09-06-2017, 01:13 PM

I am trying to get my head around ACLs. I have set up a little example on a test box (CentOS 7.4). In a nutshell I have a directory /data/accounting to which members of group "accounting" have rwx access and members of group "auditing" have r-x access. All others have no access. I am close.

Code:

[root@vmCentOS7Mate-03 ~]# getfacl /data/accounting/
getfacl: Removing leading '/' from absolute path names
# file: data/accounting/
# owner: root
# group: accounting
user::rwx
group::rwx
group:auditing:r-x
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:auditing:r-x
default:mask::rwx
default:other::---

The only issue which I am having is that files created by members of group "accounting" in the referenced directory belong to the user's primary group not the folder's group.

Code:

[root@vmCentOS7Mate-03 ~]# ll /data/accounting/
total 8
-rw-rw----+ 1 bob   bob    0 Sep  6 13:30 ledger1_by_bob
-rw-rw-r--. 1 bob   bob   20 Sep  6 09:09 ledger_by_bob
-rw-rw-r--. 1 carol carol 22 Sep  6 09:25 ledger_by_carol

I think what I want is for files to inherit the group membership/permissions from the folder in which they are created. Or I may just add default:accounting:wrx to the directory and see what happens. Let me try that and I will update this post as to what happens.

Ken

Turbocapitalist · 09-06-2017, 01:35 PM

Quote:

Originally Posted by taylorkh

I think what I want is for files to inherit the group membership/permissions from the folder in which they are created.

That can be done without ACLs if you set the set-group-id bit.

Code:

chmod g=rwxs ./some/dir/

If you are constrained to do it via ACLs for some reason, then see the section on option a - using the ACL in a blog post I wrote on the matter to get started.

taylorkh · 09-06-2017, 03:24 PM

Thanks Turbocapitalist,

I took a look at your blog post. I will be giving it a good study.

As far as using ACLs... I am retired from this business but had an opportunity to take some Red Hat Academy courses through the local community college at a fraction of the cost charged by Red Hat. Gets me out of the house and it is something to do

That said, the RHA exercises are - to put it politely - somewhat superficial. So I am creating my own scenarios for the various topics and working through them to get a more thorough understanding.

I worked with ACLs in Windoze for many years as that was all that was available. That was some time ago and I am trying to reconcile my past experience with Linux features. I think I have my test case working but have to do some more testing and then try some additional scenarios I have in mind.

At the moment I have to head off for a public hearing. The local county commissioners are wanting to spend $32M of my tax dollars on some sort of fantastic county jail expansion. I think surplus army tents on the old county landfill site should be good enough. It will be interesting to hear what others have to say. I will be back on this project soon.

Ken