ACL's are a second layer of security on top of the standard ugo/rwx permissions. Without knowing what the standard permissions of the files/directories are we can only give some general pointers and are probably not able to pinpoint something specific.
Assuming the following setup (no acl's yet, just standard permissions):
Code:
# ls -ld /home/test*
drwxr-xr-x 2 test1 user1 4096 sep 20 09:39 /home/test1
drwxr-xr-x 2 test2 user2 4096 sep 20 09:37 /home/test2
drwxr-xr-x 2 test3 user1 4096 sep 20 09:37 /home/test3
# ls -l /home/test1/file1
-rwxrwxr-- 1 test1 user1 15 sep 20 09:37 /home/test1/file1
Users test1 and test3 are able to read, write and execute file1
User test2 can read file1, but cannot write or execute file1
Assuming this setup (still no acl's):
Code:
# ls -ld /home/test*
drwxr-x--- 2 test1 user1 4096 sep 20 09:55 /home/test1
drwxr-x--- 2 test2 user2 4096 sep 20 09:56 /home/test2
drwxr-x--- 2 test3 user1 4096 sep 20 09:56 /home/test3
[plains] root / # ls -l /home/test1/file1
-rwxrwxr-- 1 test1 user1 15 sep 20 09:56 /home/test1/file1
Users test1 and test3 are able to read, write and execute file1
User test2 doesn't have access at all (permission denied).
As you can see in the above examples it does matter what the initial situation is.
Assuming the second example, you need to do the following to make file1 fully accessible for user test2:
Code:
# permissions file1 without acl's:
getfacl file1
# file: file1
# owner: test1
# group: user1
user::rwx
group::rwx
other::r--
# set acl permissions on file1 for user test2:
setfacl -m u:test2:rwx file1
getfacl file1
# file: file1
# owner: test1
# group: user1
user::rwx
user:test2:rwx
group::rwx
mask::rwx
other::r--
But, due to the 750 permissions on /home/test1 this isn't enough, user test2 will still get a permission denied! If the permissions on /home/test1 would have been 755 then this would have been enough (with the restriction in mind mentioned earlier by rknichols).
In this case you need to give user test2 execute permissions on test1's home directory:
Code:
setfacl -m u:test2:x /home/test1
getfacl /home/test1
getfacl: Removing leading '/' from absolute path names
# file: home/test1
# owner: test1
# group: user1
user::rwx
user:test2:--x
group::r-x
mask::r-x
other::---
Quote:
Originally Posted by makupl
There were no mention about access rights for parent directory.
|
(possible) Pitfalls aren't mentioned, they are part of the learning process.