Setting Solaris ACLs that propogate to sub-directories

Posted on 2009-12-22
Last Modified: 2013-12-27
We have a folder structure of
which has oracle:dba privileges as does its subfolders and they are created 750.
I want a user to scp in to see the structure in folder1 and have access to the directories in it but not put them in the dba group.
Could i create a newgroup and acl on the newgroup for folder1 and it will propogate the acl to existing folders and to new ones that are created in there ?
If not any other ideas how to achieve ?
Question by:cmap
    LVL 4

    Expert Comment

    To modify the ACLs for existing directories, you could:

    find folder1 -type d -exec setfacl -m group:newgroup:r-x {} \;

    This will allow a user in "newgroup" to cd and ls the contents of folder1 and all its subdirectories.  

    This modified ACL will not have any effect on newly created directories in folder1.  For that you would have to create default ACLs on the directories.

    Author Comment

    So if I did -
    setfacl -m group:newgroup:r-x folder1
    it would then propogate to all the existing directories?
    and to cover for new directories i'd need to set a default acl - would something like this work ?

    setfacl -d group:newgroup:r-x folder1 and it would go to new directories created later below folder1 ?

    LVL 4

    Expert Comment

    The acl commands work on a named file or directory. They don't propagate to subdirectories which is why I would use it as an argument to the find command.

    To set the default acls on folder1 and all subdirectories, you could do this (one line, split into two using \):

    find folder1 -type d -exec \
    setfacl -m d:user::rwx,d:group::r-x,d:other:---,d:mask:r-x,d:group:newgroup:r-x {} \;

    -m  <--- modify the existing owner/group/other

    d:user::rwx,d:group::r-x,d:other:---  <--- will modify the existing owner/group entries so that all new files and directories have these permissions. (Notice only on : after other.)

    d:mask:r-x  <--- the highest allowable permissions besides the owner's permissions

    d:group:newgroup:r-x  <--- the group you want to have read/execute permissions.  Or you could add a specific user (d:user:username:r-x).

    ACLs are messy, btw.
    LVL 4

    Accepted Solution

    Did this work out for you?

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    What Is Threat Intelligence?

    Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

    Article by: btan
    The intent is not to repeat what many has know about Ransomware but more to join its dots of what is it, who are the victims, why it exists, when and how we respond on infection. Lastly, sum up in a glance to share such information with more to help…
    Every server (virtual or physical) needs a console: and the console can be provided through hardware directly connected, software for remote connections, local connections, through a KVM, etc. This document explains the different types of consol…
    Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
    This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

    779 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    10 Experts available now in Live!

    Get 1:1 Help Now