[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now


Setting Solaris ACLs that propogate to sub-directories

Posted on 2009-12-22
Medium Priority
Last Modified: 2013-12-27
We have a folder structure of
which has oracle:dba privileges as does its subfolders and they are created 750.
I want a user to scp in to see the structure in folder1 and have access to the directories in it but not put them in the dba group.
Could i create a newgroup and acl on the newgroup for folder1 and it will propogate the acl to existing folders and to new ones that are created in there ?
If not any other ideas how to achieve ?
Question by:cmap
  • 3

Expert Comment

ID: 26110133
To modify the ACLs for existing directories, you could:

find folder1 -type d -exec setfacl -m group:newgroup:r-x {} \;

This will allow a user in "newgroup" to cd and ls the contents of folder1 and all its subdirectories.  

This modified ACL will not have any effect on newly created directories in folder1.  For that you would have to create default ACLs on the directories.

Author Comment

ID: 26111553
So if I did -
setfacl -m group:newgroup:r-x folder1
it would then propogate to all the existing directories?
and to cover for new directories i'd need to set a default acl - would something like this work ?

setfacl -d group:newgroup:r-x folder1 and it would go to new directories created later below folder1 ?


Expert Comment

ID: 26112544
The acl commands work on a named file or directory. They don't propagate to subdirectories which is why I would use it as an argument to the find command.

To set the default acls on folder1 and all subdirectories, you could do this (one line, split into two using \):

find folder1 -type d -exec \
setfacl -m d:user::rwx,d:group::r-x,d:other:---,d:mask:r-x,d:group:newgroup:r-x {} \;

-m  <--- modify the existing owner/group/other

d:user::rwx,d:group::r-x,d:other:---  <--- will modify the existing owner/group entries so that all new files and directories have these permissions. (Notice only on : after other.)

d:mask:r-x  <--- the highest allowable permissions besides the owner's permissions

d:group:newgroup:r-x  <--- the group you want to have read/execute permissions.  Or you could add a specific user (d:user:username:r-x).

ACLs are messy, btw.

Accepted Solution

sakman earned 2000 total points
ID: 26142446
Did this work out for you?

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Recently, I read that Microsoft has analysed statistics for their security intelligence report. It revealed: still, the clear majority of windows users do their daily work as administrator. An administrative account is a burden, security-wise. My ar…
Learn how to navigate the file tree with the shell. Use pwd to print the current working directory: Use ls to list a directory's contents: Use cd to change to a new directory: Use wildcards instead of typing out long directory names: Use ../ to move…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.
Suggested Courses

834 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question