ittechlab
asked on
Redhat - ACL
[dave@desktop5 test]$ ls -ld .
drwxr-xr-x+ 2 root root 4096 Jan 8 18:22 .
[dave@desktop5 test]$ getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:dave:-wx
default:group::r-x
default:mask::rwx
default:other::r-x
[dave@desktop5 test]$ touch file1
touch: cannot touch `file1': Permission denied
[dave@desktop5 test]$
why i can't touch a file according to my permission.
drwxr-xr-x+ 2 root root 4096 Jan 8 18:22 .
[dave@desktop5 test]$ getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:dave:-wx
default:group::r-x
default:mask::rwx
default:other::r-x
[dave@desktop5 test]$ touch file1
touch: cannot touch `file1': Permission denied
[dave@desktop5 test]$
why i can't touch a file according to my permission.
ASKER
[root@desktop5 ~]# cd /var/lo
local/ lock/ log/
[root@desktop5 ~]# cd /var/log/test/
[root@desktop5 test]# setfacl -m u:dave:rwx .
[root@desktop5 test]# su - dave
[dave@desktop5 ~]$ cd /var/log/test/
[dave@desktop5 test]$ touch file1
[dave@desktop5 test]$ ls -l file1
-rw-rw-r--+ 1 dave dave 0 Jan 8 18:40 file1
local/ lock/ log/
[root@desktop5 ~]# cd /var/log/test/
[root@desktop5 test]# setfacl -m u:dave:rwx .
[root@desktop5 test]# su - dave
[dave@desktop5 ~]$ cd /var/log/test/
[dave@desktop5 test]$ touch file1
[dave@desktop5 test]$ ls -l file1
-rw-rw-r--+ 1 dave dave 0 Jan 8 18:40 file1
ASKER
why wx didn't work?
others have r permission. isn't that going to help dave to create contents in the directory.
[dave@desktop5 test]$ ls -ld .
drwxrwxr-x+ 2 root root 4096 Jan 8 18:40 .
others have r permission. isn't that going to help dave to create contents in the directory.
[dave@desktop5 test]$ ls -ld .
drwxrwxr-x+ 2 root root 4096 Jan 8 18:40 .
Take a look at this:
ftp://ftp-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.0/adminguide-9.0/node27.html
It states:
Dave only had default. Didn't have actual permissions. He was considered "others".
ftp://ftp-uxsup.csx.cam.ac.uk/pub/doc/suse/suse9.0/adminguide-9.0/node27.html
It states:
Default ACL
Default ACLs can only be applied to directories. They determine the permissions a file system object inherits from its parent directory when it is created.
Dave only had default. Didn't have actual permissions. He was considered "others".
ASKER
default:user:dave:-wx
i am still not clear. this is what dave had according to your recent explanation right?
i am still not clear. this is what dave had according to your recent explanation right?
Yes, this is NOT the permission for dave! This is the default permission for files created. Dave did not have any permissions. Since the folder was owned by user and group root, dave was "others". I made special permission for dave.
Did you read the link above in detail?
Did you read the link above in detail?
dont you just need to change the perms to 777 for the test directory or make dave the owner??
The original post test was owned by root and the directory only had permissions for root to write to it.
The original post test was owned by root and the directory only had permissions for root to write to it.
@Jools: Right, but with ACL, he can allow dave to any kind of permission without changing any ownership and that is what he is trying to do. The only thing is the user permission in ACL and default permissions and two different concepts.
ASKER
based on my original post, dave had the following permission. Why he couldn't create a file.
default:user:dave:-wx
default:user:dave:-wx
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
setfacl -m user:dave:wx test
what is mean then? I am I not giving dave to create contents in test folder.
what is mean then? I am I not giving dave to create contents in test folder.
In your original post, I only saw user dave with default and NO PERMISSIONS.
>> I am I not giving dave to create contents in test folder.
Then take away the write permission not the read permission. When he creates files/folders in a folder, he uses the write permission of the folder not the read permission.
>> I am I not giving dave to create contents in test folder.
Then take away the write permission not the read permission. When he creates files/folders in a folder, he uses the write permission of the folder not the read permission.
ASKER
setfacl -m user:dave:wx /var/log/test/
setfacl: Option -m: Invalid argument near character 6
whats wrong with this?
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
setfacl: Option -m: Invalid argument near character 6
whats wrong with this?
cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
doesnt the file need to be owned by someone other than root then?
ASKER
i fixed.
How come it works in redhat 5.7 and when i apply the same in redhat 6 it does not work.
How come it works in redhat 5.7 and when i apply the same in redhat 6 it does not work.
If you don't want dave to have write permissions, you don't need to do anything because he will be "others" and will be able to read and execute anyway.
@Jools: are you asking me? If so, elaborate your question. Otherwise please disregard this comment.
ASKER
did something change with recent version, i didn't see deafult:user part before.
No, ACLs are the same even in RHEL 4 and obviously 5 and 6. Only that you have one machine with default and other with actual permissions. In RHEL4 you had to remount partitions with ACL options. In RHEL6 ACLs are enabled by default.
ASKER
i have redhat 6 and 5.7. when i tried to setup ACL the output was different. one didn't had default part.
ASKER
How come its working in 5.7. If i apply same steps i don't see it works in redhat 6. I don't see any default stuff here.
[root@~]# useradd test
[root@~]# mkdir /var/log/testDir
[root@~]# ls -ld /var/log/testDir/
drwxr-x--- 2 root root 4096 Jan 9 11:11 /var/log/testDir/
[root@~]# setfacl -m user:test:wx /var/log/testDir/
[root@~]# su - test
[test@~]$ cd /var/log/testDir/
[test@testDir]$ touch file1
[test@testDir]$ getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:test:-wx
group::r-x
mask::rwx
other::---
[root@~]# useradd test
[root@~]# mkdir /var/log/testDir
[root@~]# ls -ld /var/log/testDir/
drwxr-x--- 2 root root 4096 Jan 9 11:11 /var/log/testDir/
[root@~]# setfacl -m user:test:wx /var/log/testDir/
[root@~]# su - test
[test@~]$ cd /var/log/testDir/
[test@testDir]$ touch file1
[test@testDir]$ getfacl .
# file: .
# owner: root
# group: root
user::rwx
user:test:-wx
group::r-x
mask::rwx
other::---
I was able to issue the setfacl command on RHEL6.3 and get the expected outcome without default. So I am not sure why it is happening with you as conceptually it shouldn't unless you specifically set the default and I am able to work it correctly on RHEL6.
setfacl -m u:dave:rwx .
touch file1
ls -l file1
What are the permissions of file1?