deny permission in acl

michael_f · 01-31-2011, 12:14 AM

Hi,

I want to grant users in a particular group (lets call it group1) access to some directory (let's call it /somedirectory) full control of the directory, unless the individual users are also in a group (lets call it group2).

I have tried the following commands:

Code:

setfacl -m g:group1:rwx,m:rwx /somedirectory

(To grant full control to users in group1, this on it's own seems to be working)

Code:

setfacl -m g:group2:-,m:w /somedirectory

(And then deny write access to users in group2)

However it would appear that I am using the wrong syntax for the 2nd command.

The result from getfacl is:

Code:

# file: somedirectory
# owner: root
# group: root
user::rwx
group::---
group:group1:rwx           #effective:-w-
group:group2:---
mask::-w-
other::---

Can anyone help?

Thanks.

John VV · 01-31-2011, 02:23 AM

this sounds like homework
that we will not help to much on that -- forum rules

informing us as to the operating system will help
also if SELinux or App-guard is used

michael_f · 01-31-2011, 06:18 AM

Quote:

this sounds like homework
that we will not help to much on that -- forum rules

It's actually to setup file sharing for my grandparent's church's server. I'm really much more of a developer than a sys admin and very much new to *nix, so my apologies if the question is noobish.

I've tried googling how to use the command but it appears that however I have used it it always uses only the last mask I select. (Particulally from the #effective:-w- part in my first post.)

Quote:

informing us as to the operating system will help

I'm running Ubuntu Server 10.10 2.6.35-22-generic-pae #33-Ubuntu SMP Sun Sep 19 22:14:14 UTC 2010 i686 GNU/Linux

It's basically "out of the box" plus mono, apache, mysql, webmin and clamav.

Quote:

also if SELinux or App-guard is used

I did not install or use either, it appears that SELinux is installed, at least the following two packages are:

Code:

libselinux1 2.0.94-1	SELinux runtime shared libraries
libsepol1 2.0.41-1	SELinux library for manipulating binary security policies

Nominal Animal · 01-31-2011, 06:58 AM

Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny access to group2 first, then grant access to group1 -- but that would rely on the order of the ACLs; extremely fragile. Not recommended.

Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:

drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/

If you use an administrator user account, you can of course replace the root above.
upper directory grants traverse rights to everybody except group2, then lower grants access to group1.
You can add further excluded groups to upper in ACLs, and further access grants to lower ACLs.

It is important that you don't grant anybody write access to upper, so that the access mode for lower stays intact. This is easiest if you keep upper otherwise empty, and only grant the traverse access. Remember, everybody except the denied users and groups have access to upper.

In most cases, you can of course symlink /somedirectory to /upper/lower . The kernel will internally always traverse the two directories and apply the necessary access tests.

Hope this helps,

Nominal Animal

michael_f · 01-31-2011, 04:29 PM

Quote:

Originally Posted by Nominal Animal

Because of the way POSIX access modes are parsed, this won't work reliably for a single directory.
It should work if you deny access to group2 first, then grant access to group1 -- but that would rely on the order of the ACLs; extremely fragile. Not recommended.

Using two nested directories is the tested and tried solution. Upper one denies access to specific groups or users but allows traverse for all others, and the lower one only grants access to desired groups. Thus:

drwx-----x root:group2 /upper/
drwxrwx--- root:group1 /upper/lower/

Hi,

This solution denies read access to those in both groups, which is not what I wanted.

However, you lead me in the right direction and I managed to get it to work with these commands:

Code:

mkdir /upper
chown :group1 /upper
chmod 710 /upper

mkdir /upper/lower
chown :group2 /upper/lower
chmod 757 /upper/lower
ln -s /upper/lower /somedirectory

Thanks! You've been a great help.

Michael.