ACL permission doesn't work for me (?)

makupl · 09-19-2013, 03:44 PM

Hello.
In my test server I have three users
test1, test2, test3.
All have respectivle
/home/test1, /home/test2, /home/test3 directory.
user1 is in group user1
user2 is in group user2
user3 is in group user1

In /home/test1 I have a 'file1'.
It's 'ls -la' list shows grants as -rwrwxr--+
But as I uderstand it is not now -rwxrwxr-- in fact but "+" means that this file has additional ACL which is in use. Now.
getfacl file1 says:
#file : file1
#owner: user1
#group: user1
user::rw-
user:user2:rwx
group::rwx
mask::rwx
other::r--
As I uderstand user2 as well as user3(is in same group with user1) should have access to the file. BTW permissions should be: read,write and execute.
When I try it (with vi, more) I always get permission alert and can't open or read the file.
What's wrong with that?

rknichols · 09-19-2013, 04:37 PM

Users need execute (and usually read) permission in the directory and any parent directories in order to access the file. (Without read permission they would need to know the exact name, and things like tab-completion would not work.)

makupl · 09-20-2013, 01:55 AM

Quote:

Originally Posted by rknichols

Users need execute (and usually read) permission in the directory and any parent directories in order to access the file. (Without read permission they would need to know the exact name, and things like tab-completion would not work.)

Hi. Thank you for answer. I tested in in different directory (/tmp) it works as it should.
However. Let me ask one question more. I'm curious as the excersize instruction that I had was to create file in home directory of user1 and allow to access this file by user2 and user3 (using this ACL feature). There were no mention about access rights for parent directory. Even I gave full path and name when trying to access it didn't work.
I assume that your first statement about permission is a must.

And please confirm because I can't find answer. If there is ACL for file(directory) it's permissions reported by ll doesn't take effect. Right?

druuna · 09-20-2013, 03:35 AM

ACL's are a second layer of security on top of the standard ugo/rwx permissions. Without knowing what the standard permissions of the files/directories are we can only give some general pointers and are probably not able to pinpoint something specific.

Assuming the following setup (no acl's yet, just standard permissions):

Code:

# ls -ld /home/test*
drwxr-xr-x 2 test1 user1 4096 sep 20 09:39 /home/test1
drwxr-xr-x 2 test2 user2 4096 sep 20 09:37 /home/test2
drwxr-xr-x 2 test3 user1 4096 sep 20 09:37 /home/test3
# ls -l /home/test1/file1 
-rwxrwxr-- 1 test1 user1 15 sep 20 09:37 /home/test1/file1

Users test1 and test3 are able to read, write and execute file1
User test2 can read file1, but cannot write or execute file1

Assuming this setup (still no acl's):

Code:

# ls -ld /home/test*
drwxr-x--- 2 test1 user1 4096 sep 20 09:55 /home/test1
drwxr-x--- 2 test2 user2 4096 sep 20 09:56 /home/test2
drwxr-x--- 2 test3 user1 4096 sep 20 09:56 /home/test3
[plains] root / # ls -l /home/test1/file1 
-rwxrwxr-- 1 test1 user1 15 sep 20 09:56 /home/test1/file1

Users test1 and test3 are able to read, write and execute file1
User test2 doesn't have access at all (permission denied).

As you can see in the above examples it does matter what the initial situation is.

Assuming the second example, you need to do the following to make file1 fully accessible for user test2:

Code:

# permissions file1 without acl's:
getfacl file1 
# file: file1
# owner: test1
# group: user1
user::rwx
group::rwx
other::r--

# set acl permissions on file1 for user test2:
setfacl -m u:test2:rwx file1 
getfacl file1 
# file: file1
# owner: test1
# group: user1
user::rwx
user:test2:rwx
group::rwx
mask::rwx
other::r--

But, due to the 750 permissions on /home/test1 this isn't enough, user test2 will still get a permission denied! If the permissions on /home/test1 would have been 755 then this would have been enough (with the restriction in mind mentioned earlier by rknichols).

In this case you need to give user test2 execute permissions on test1's home directory:

Code:

setfacl -m u:test2:x /home/test1
getfacl /home/test1
getfacl: Removing leading '/' from absolute path names
# file: home/test1
# owner: test1
# group: user1
user::rwx
user:test2:--x
group::r-x
mask::r-x
other::---

Quote:

Originally Posted by makupl

There were no mention about access rights for parent directory.

(possible) Pitfalls aren't mentioned, they are part of the learning process.

makupl · 09-20-2013, 04:52 AM

Very well explained!