acl questions - Page 1

Lucas Aimaretto

Asked: 2019-08-10 06:13:45 +0800 CST

SETFACL to not go out of /home

1

So I've been testing ACL's in Linux and they work as intended. I have, for example, this folder where I've stablished permissions for users belonging to the gruop share. So far, so good...

lucas@lucas:/$ getfacl testAcl/
# file: testAcl/
# owner: root
# group: root
user::rwx
group::rwx
group:share:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:share:rwx
default:mask::rwx
default:other::---

This works fine. Once the ACL has been set, users can or cannot go into the specified folder, as per their group membership.

But I'm interested in something a little different: users usually log into the server, and they land in their /home/user folder. How can I set up an ACL so users can't leave the /home directory but also be able to go deeper inside /home/share, for example?

I've though about two options so far:

All users belonging to group adm CAN leave /home, or ...
All users belonging to group share CANNOT leave /home.

How can I set that up using setfacl?

Ukuser32

Asked: 2019-05-02 02:02:57 +0800 CST

Default folder/file created ACL permissions not correct

3

I have applied the following settings to my core html folder:

chown :ftpaccess html -R
chmod 0775  html -R
setfacl -R -d -m group:ftpaccess:rwx html

However whenever anyone creates a new file or folder in the html (or subfolder) it doesn't default to user:ftpaccess with 0775 permissions.

What I get (created as root in nano is):

getfacl test2.txt
# file: test2.txt
# owner: root
# group: root
user::rw-
group::rwx                      #effective:rw-
group:ftpaccess:rwx             #effective:rw-
mask::rw-
other::r--

What do I need to do to make this apply to subdirectories? I thought the -d would have fixed that. Is it something to do with sticky ?

most2

Asked: 2019-04-17 07:23:46 +0800 CST

How to grant non-root user access only to /var/log directory

3

I have newly created non-root(normal) user and want to grant access only to /var/log directory so that the user can view and monitor the logs. The user should not be able to cd/ls or access the /etc directory and do anything else apart from viewing files in /var/log. Is this setup possible?

I have tried to use setfacl -m u:user:--- on the /etc directory, but getting the /etc/profile permission denied error when logging in with the user.

How can i achieve this?

koninka

Asked: 2018-03-21 02:40:32 +0800 CST

Is it possible to keep setgid bit when unzipping files as non-root user?

2

I have a folder with the following permissions:

drwxrws--x+ 13 myuser  www-data      4096 Mar 20 09:57 project-folder

In this folder I have an archive archive.zip with the following permissions:

-rw-rw----+    1 myuser www-data  10260 Mar 20 09:56 archive.zip

When I unzipped archive by calling unzip archive.zip I got the following file listing:

drwxrwx--x+    3 myuser www-data   4096 May  5  2017 folder-from-archive

As we can see, the owner group is www-data as same for parent folder project-folder, but the folder-from-archive does not have the setgid bit (the s in the permissions string) and the content of this folder is not owned by group www-data:

-rw-rw----+ 1 myuser myuser 1083 May  5  2017 LICENSE
-rw-rw----+ 1 myuser myuser 2197 May  5  2017 README.md
-rw-rw----+ 1 myuser myuser  720 May  5  2017 autoload.php
-rw-rw----+ 1 myuser myuser  786 May  5  2017 composer.json
drwxrwx--x+ 3 myuser myuser 4096 May  5  2017 source

But when I tried unzipping this archive as root user the permissions and group owner (as well as the files in the folder) were correct:

drwxr-s--x+    3 root www-data   4096 May  5  2017 folder-from-archive

Files in folder folder-from-archive:

-rw-r-----+ 1 root www-data 1083 May  5  2017 LICENSE
-rw-r-----+ 1 root www-data 2197 May  5  2017 README.md
-rw-r-----+ 1 root www-data  720 May  5  2017 autoload.php
-rw-r-----+ 1 root www-data  786 May  5  2017 composer.json
drwxr-s--x+ 3 root www-data 4096 May  5  2017 source

As we can see after unzipping by root user the folder inherited the setgid bit and set correct group www-data for itself and all containing files.

How to get the same behavior for the user myuser?

Baa

Asked: 2018-03-19 09:17:44 +0800 CST

Discrepancy with the output of `ls -al` and `getfacl`

4

I have run the following script to set permissions into /etc/nginx

#!/usr/bin/env bash

sudo chown -R root:root /etc/nginx
sudo chmod -R 0750 /etc/nginx
sudo setfacl -Rbk -m g:hugo:rwx /etc/nginx
sudo setfacl -R --mask -m g:www-data:rx /etc/nginx

However, when I check the permissions afterwards there is a discrepancy in the results for the 'group' of ls -al and getfacl

$ ls -al /etc/nginx
total 24
drwxrwx---+   5 root root 4096 Mar 18 17:07 .

$ getfacl /etc/nginx
getfacl: Removing leading '/' from absolute path names
# file: etc/nginx
# owner: root
# group: root
user::rwx
group::r-x
group:www-data:r-x
group:hugo:rwx
mask::rwx
other::---

Why?

SETFACL to not go out of /home

Default folder/file created ACL permissions not correct

How to grant non-root user access only to /var/log directory

Is it possible to keep setgid bit when unzipping files as non-root user?

Discrepancy with the output of `ls -al` and `getfacl`

How to install Google Chrome

Is there a command to list all users? Also to add, delete, modify users, in the terminal?

How to delete a non-empty directory in Terminal?

How to unzip a zip file from the Terminal?

How can I copy the contents of a folder to another folder in a different directory using terminal?

How do I install a .deb file via the command line?

How do I run .sh scripts?

How do I install a .tar.gz (or .tar.bz2) file?

How to list all installed packages

Unable to lock the administration directory (/var/lib/dpkg/) is another process using it?

Questions[acl](ubuntu)