View previous topic :: View next topic |
Author |
Message |
Re-JeeP Apprentice
Joined: 10 Oct 2006 Posts: 294 Location: Sweden
|
Posted: Sun Aug 05, 2007 6:22 am Post subject: ACL permission solution help |
|
|
Hi!
I asked for a permission solution at #gentoo and I got the tip of ACL.
I have now read about ACL and understand pretty much how it works. But I cant figure out how to apply ACL to my problem. And thats why I need you help.
This is my problem:
I will have a folder (/share). In this folder there will be some other folders (www, school, bin, svn, etc...). I have a group which is named school. Every user in that group should be able to create files and folders in /share/school like if they would have owned it. But I don't want them to be able to remove the folder /share/school.
How can I solve that with ACL?
Thanks! _________________ Dig where you stand!
Last edited by Re-JeeP on Sun Aug 05, 2007 6:59 pm; edited 2 times in total |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9555 Location: beyond the rim
|
Posted: Sun Aug 05, 2007 9:45 am Post subject: |
|
|
You don't need ACL for that, normal Unix permissions are enough. The important thing to know is what the "write" permission means for directories:
info coreutils 'file permissions' 'mode structure' wrote: | 2. permission to write to (change) the file. For directories, this
means permission to create and remove files in the directory. |
So if you give the group write access to /share/school they can create and remove files or dirs in that directory, but they'd need write permissions on /share to remove /share/school itself. |
|
Back to top |
|
|
Re-JeeP Apprentice
Joined: 10 Oct 2006 Posts: 294 Location: Sweden
|
Posted: Sun Aug 05, 2007 11:18 am Post subject: |
|
|
Genone wrote: | You don't need ACL for that, normal Unix permissions are enough. The important thing to know is what the "write" permission means for directories:
info coreutils 'file permissions' 'mode structure' wrote: | 2. permission to write to (change) the file. For directories, this
means permission to create and remove files in the directory. |
So if you give the group write access to /share/school they can create and remove files or dirs in that directory, but they'd need write permissions on /share to remove /share/school itself. |
You are so right...
But the owner of /share/school should be able to remove that dir if he has write access (with no write access to /share) to it, right?
Well... Nice to learn about ACL's though. Can always come in handy.
EDIT *
Can I set a default permission mode on all files and folders that are created in a certain folder?
In my case I want that all files and folders created in /share/chalmers should have the owner of the one who created it. And group chalmers. Permissions should be: 770. _________________ Dig where you stand! |
|
Back to top |
|
|
Genone Retired Dev
Joined: 14 Mar 2003 Posts: 9555 Location: beyond the rim
|
Posted: Sun Aug 05, 2007 12:25 pm Post subject: |
|
|
Re-JeeP wrote: | Genone wrote: | You don't need ACL for that, normal Unix permissions are enough. The important thing to know is what the "write" permission means for directories:
info coreutils 'file permissions' 'mode structure' wrote: | 2. permission to write to (change) the file. For directories, this
means permission to create and remove files in the directory. |
So if you give the group write access to /share/school they can create and remove files or dirs in that directory, but they'd need write permissions on /share to remove /share/school itself. |
You are so right...
But the owner of /share/school should be able to remove that dir if he has write access (with no write access to /share) to it, right?
Nope. Because creating or deleting a file or directory involves a modification of the parent directory on the filesystem level. |
Quote: | Can I set a default permission mode on all files and folders that are created in a certain folder? |
Nope, for that you need full Posix ACLs. See this thread.
Last edited by Genone on Thu Aug 09, 2007 11:27 pm; edited 1 time in total |
|
Back to top |
|
|
Re-JeeP Apprentice
Joined: 10 Oct 2006 Posts: 294 Location: Sweden
|
Posted: Sun Aug 05, 2007 12:37 pm Post subject: |
|
|
Genone wrote: | Re-JeeP wrote: | Genone wrote: | You don't need ACL for that, normal Unix permissions are enough. The important thing to know is what the "write" permission means for directories:
info coreutils 'file permissions' 'mode structure' wrote: | 2. permission to write to (change) the file. For directories, this
means permission to create and remove files in the directory. |
So if you give the group write access to /share/school they can create and remove files or dirs in that directory, but they'd need write permissions on /share to remove /share/school itself. |
You are so right...
But the owner of /share/school should be able to remove that dir if he has write access (with no write access to /share) to it, right? |
Nope. Because creating or deleting a file or directory involves a modification of the parent directory on the filesystem level. |
I see...
Genone wrote: | Quote: | Can I set a default permission mode on all files and folders that are created in a certain folder? |
Nope, for that you need full Posix ACLs. See this thread. |
Ok, thanks! _________________ Dig where you stand! |
|
Back to top |
|
|
Re-JeeP Apprentice
Joined: 10 Oct 2006 Posts: 294 Location: Sweden
|
Posted: Thu Aug 09, 2007 9:42 pm Post subject: |
|
|
I am now trying to set the default ACLs on a test folder.
I added the ACLs and I think I got it pretty much right.
Code: | setfacl -d -m group:school:rwx temp |
I want to have it like this:
All files and folders created in temp should by default get the regular rights of 750. The owner and group should be the user who created it. Other than that members of group school should have r, w and x rights to.
Is the output from below right then?
Code: | $ getfacl temp/
# file: temp
# owner: rejeep
# group: rejeep
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:group:school:rwx
default:mask::rwx
default:other::--- |
It doesn't seem right. Because if I create a file and a folder in temp I get this:
File
Code: | $ getfacl temp/file.txt
# file: file.txt
# owner: rejeep
# group: rejeep
user::rw-
group::r-x #effective:r--
group:school:rwx #effective:rw-
mask::rw-
other::--- |
Folder
Code: | $ getfacl temp/folder
# file: folder
# owner: rejeep
# group: rejeep
user::rwx
group::r-x
group:school:rwx
mask::rwx
other::---
default:user::rwx
default:group::r-x
default:group:school:rwx
default:mask::rwx
default:other::--- |
Does it get like this because of umask? _________________ Dig where you stand! |
|
Back to top |
|
|
|