Unix/Linux Go Back    


Shell Programming and Scripting BSD, Linux, and UNIX shell scripting — Post awk, bash, csh, ksh, perl, php, python, sed, sh, shell scripts, and other shell scripting languages questions here.

Create a shared folder using acl

Shell Programming and Scripting


Tags
solved

Reply    
 
Thread Tools Search this Thread Display Modes
    #1  
Old Unix and Linux 04-14-2017
jcdole jcdole is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 21 September 2017, 6:16 AM EDT
Location: 64500 - france ( south-ouest )
Posts: 165
Thanks: 56
Thanked 3 Times in 3 Posts
Create a shared folder using acl

Hello.
I need some help to create a shared folder.

A group 'publicuser' has been created.
A user 'publicuser' has been created ( no login, no home) and belongs to group 'publicuser'.
A public folder '/doc' has been created and owner is publicuser:publicuser.
  1. All users belonging to group 'publicuser' can create folder under'/doc'.
  2. All users belonging to group 'publicuser' can create folder in other user's folder as far as they reside under '/doc'. User's folder are just non private folders.
  3. All users belonging to group 'publicuser' can read, write, modify any type of files everywhere Independently of whom is the owner, as far as they reside under '/doc'.
  4. Only owner can delete objects.
  5. File cannot be executed.

I have try this piece of code, but I cannot go thru folders.


Code:
# ---
# step 4 CREATE PUBLIC FOLDER
# ---

for A_PUB_FOLDER in "$PUB_GOUPS" ; do

    if [[ "$A_PUB_FOLDER" == "/" ]] ; then
        echo "ERROR - THIS PUBLIC FOLDER IS NOT DEFINED : \"$A_PUB_FOLDER\" "
        echo "EXITING ..."
        exit $E_BAD_PARAM
    fi
#
echo
echo "--------------------------"
echo "Doing : $A_PUB_FOLDER"
echo "--------------------------"
echo
#
#
# Remove acl
#
    CMD="setfacl -b $A_PUB_FOLDER"  #//remove acl
    echo "COMMAND : $CMD"
    ${CMD}
#
    mkdir -pv $A_PUB_FOLDER
    chmod -v +t $A_PUB_FOLDER                   #//set sticky bit
    chmod -v +x $A_PUB_FOLDER                   #//set execute bit
#
     chown -Rv publicuser:publicuser $A_PUB_FOLDER
#
    setfacl -R -m u::rw- $A_PUB_FOLDER  #//set user to rw-
    setfacl -R -m g::r-- $A_PUB_FOLDER  #//set group to r--
    setfacl -R -m g:publicuser:rw- $A_PUB_FOLDER  #//set group publicuser to rw-
    setfacl -R -m o::--- $A_PUB_FOLDER  #//set other to ---
    # Set default
    setfacl -R -d -m u::rw- $A_PUB_FOLDER   #//set user rw- default
    setfacl -R -d -m o::--- $A_PUB_FOLDER   #//set other ---  default
    setfacl -R -d -m g::r-- $A_PUB_FOLDER  #//set group to r-- default
    setfacl -R -d -m g:publicuser:rw- $A_PUB_FOLDER  #//set group publicuser to rw- default
#
done
#

The execute bit is not set on the folders.

Any help is welcome

Last edited by rbatte1; 04-21-2017 at 04:14 AM.. Reason: Converted textual numbered list to formatted numbered list with LIST=1 tags
Sponsored Links
    #2  
Old Unix and Linux 04-14-2017
jim mcnamara jim mcnamara is offline Forum Staff  
...@...
 
Join Date: Feb 2004
Last Activity: 22 September 2017, 12:35 PM EDT
Location: NM
Posts: 11,181
Thanks: 560
Thanked 1,093 Times in 1,009 Posts
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:

Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

Sponsored Links
    #3  
Old Unix and Linux 04-16-2017
jcdole jcdole is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 21 September 2017, 6:16 AM EDT
Location: 64500 - france ( south-ouest )
Posts: 165
Thanks: 56
Thanked 3 Times in 3 Posts
Quote:
Originally Posted by jim mcnamara View Post
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:

Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

  1. chmod 1770 seems not to be sufficient
    1. ==> Folder not accessible
    2. files belongs to user_name:users ( users is universal group for all users ) not to 'user_name:publicuser'

  2. Changing to chmod 3770 seems not fully sufficient
    1. files belongs to 'user_name:publicuser' ==> OK
    2. But user can edit files only with vi in a terminal session not with kate ( gui ).

LinuxError : SUSE Paste

see full logs : SUSE Paste

Any help is welcome

---------- Post updated at 18:28 ---------- Previous update was at 18:05 ----------

Forget previous thread

I think user cannot write because the files have effective mask : r-- on files.


Code:
user_test2@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: -st
user::rwx
group::---
group:publicuser:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:publicuser:rwx
default:mask::rwx
default:other::---

user_test2@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1/test_creation_user_test1_01.txt
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_creation_user_test1_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:r--
mask::r--
other::r--

user_test2@MY-SERVER-LINUX:~>

After logout and log in again, It is not possible to edit files that you don't own yourself with vi or kate.
I suppose because the effective mask is r--

Any help is welcome

---------- Post updated at 18:50 ---------- Previous update was at 18:28 ----------

I have read that it is possible to define a mask.
I have a try and give news.

---------- Post updated at 20:35 ---------- Previous update was at 18:50 ----------

Have set mask

Code:
    setfacl -R -m u::rwx $A_PUB_FOLDER   #//set  user to rwx
    setfacl -R -m g::--- $A_PUB_FOLDER   #//set group to ---
    setfacl -R -m o::--- $A_PUB_FOLDER   #//set other to ---
    setfacl -R -m g:publicuser:rwx /$A_PUB_FOLDER  #//set group publicuser to rwx
    # Set default
    setfacl -R -d -m u::rwx $A_PUB_FOLDER   #//set user  rwx default
    setfacl -R -d -m o::--- $A_PUB_FOLDER   #//set other --- default
    setfacl -R -d -m g::--- $A_PUB_FOLDER   #//set group --- default
    setfacl -R -d -m g:publicuser:rwx /$A_PUB_FOLDER  #//set group publicuser to rwx default
    # set mask
    setfacl -R -m m::rwx $A_PUB_FOLDER   #//set  mask to rwx
    setfacl -R -d m::rwx $A_PUB_FOLDER   #//set  mask to rwx default
    #

Nothing new.
OK ==> user not in group publicuser cannot access folders owned by publicuser.
OK ==> user in group publicuser can create/edit files they owned in any folders owned by publicuser.
bad ==> A user (belonging to publicuser) in it's own folder cannot edit files created by other users (belonging to group publicuser).
bad ==> until A user (belonging to publicuser)edit bor create a file, the file mask return to r--

Code:
user_test1@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/new_file_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:r--
mask::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test1_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_02.txt
# owner: user_test2
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_02.txt~
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_03.txt
# owner: user_test1
# group: publicuser                                                                                                                            
user::rw-                                                                                                                                      
group::---                                                                                                                                     
group:publicuser:rwx            #effective:r--
mask::r--
other::r--


Last edited by rbatte1; 04-21-2017 at 04:35 AM.. Reason: Converted from textual numbered lists to formatted numbered lists with LIST=1 & LIST=a tags
    #4  
Old Unix and Linux 04-21-2017
Corona688 Corona688 is online now Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 22 September 2017, 12:59 PM EDT
Location: Saskatchewan
Posts: 22,413
Thanks: 1,126
Thanked 4,234 Times in 3,914 Posts
Why are ACL's being used here? Is this a network filesystem or other such thing where it might be required?
Sponsored Links
    #5  
Old Unix and Linux 04-25-2017
jcdole jcdole is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 21 September 2017, 6:16 AM EDT
Location: 64500 - france ( south-ouest )
Posts: 165
Thanks: 56
Thanked 3 Times in 3 Posts
Quote:
Originally Posted by Corona688 View Post
Why are ACL's being used here? Is this a network filesystem or other such thing where it might be required?
For the moment it is on a simple linux multi-user box.

As said at post #1
Quote:
A group 'publicuser' has been created.
A user 'publicuser' has been created ( no login, no home) and belongs to group 'publicuser'.
A public folder '/doc' has been created and owner is publicuserLinuxublicuser.
  1. All users belonging to group 'publicuser' can create folder under'/doc'.
  2. All users belonging to group 'publicuser' can create folder in other user's folder as far as they reside under '/doc'. User's folder are just non private folders.
  3. All users belonging to group 'publicuser' can read, write, modify any type of files everywhere Independently of whom is the owner, as far as they reside under '/doc'.
  4. Only owner can delete objects.
  5. File cannot be executed.
You can 't do that with just chmod. You need ACL.
Everybody can do any action in the folder /doc ( or any sub-folders). But in that folder ( or sub-folders ) they may not delete any object they do not owned.
Sponsored Links
    #6  
Old Unix and Linux 04-25-2017
Corona688 Corona688 is online now Forum Staff  
Mead Rotor
 
Join Date: Aug 2005
Last Activity: 22 September 2017, 12:59 PM EDT
Location: Saskatchewan
Posts: 22,413
Thanks: 1,126
Thanked 4,234 Times in 3,914 Posts
Quote:
Originally Posted by jcdole View Post
Everybody can do any action in the folder /doc ( or any sub-folders). But in that folder ( or sub-folders ) they may not delete any object they do not owned.
You can do that with just chmod, ACL's not needed. Set the folder U+S, just like they do on /tmp/, and you will only be able to delete your own files. G+S has a different meaning, it forces the group of created files to be the same group as the directory.

[edit] Jim already suggested this a week ago.
Sponsored Links
    #7  
Old Unix and Linux 04-26-2017
jcdole jcdole is offline
Registered User
 
Join Date: Apr 2011
Last Activity: 21 September 2017, 6:16 AM EDT
Location: 64500 - france ( south-ouest )
Posts: 165
Thanks: 56
Thanked 3 Times in 3 Posts
Quote:
Originally Posted by Corona688 View Post
You can do that with just chmod, ACL's not needed. Set the folder U+S, just like they do on /tmp/, and you will only be able to delete your own files. G+S has a different meaning, it forces the group of created files to be the same group as the directory.

[edit] Jim already suggested this a week ago.
As I have already said that does not do what I want

Using G+S in PUBLIC SHARED FOLDER
a) deletion of not owned files forbidden : OK
b) creation in user's folder : OK
c) creation in other user's folder : OK
d) editing files owned by others in its own user's folder : KO access denied
d) editing files owned by others in any other folder ( owned or not owned ) : KO access denied

files are marked as
user::rw-
group::r--
other::r--

My test script in pseudo code :

Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod u+s $( find $A_PUB_FOLDER -type d )


test script : acl_sample_11.sh
see details : SUSE Paste


su to root

for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
        chmod -v 0770 $( find $A_PUB_FOLDER -type d )
        chmod -v u+s $( find $A_PUB_FOLDER -type d )

step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
    step 5-a  create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
    step 5-b
        chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
        chmod -v 0770 $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
        chmod -v u+s $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
    step 7-a
        create sub folder $A_PUB_FOLDER/$A_USER
    step 7-b
        chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
        chmod -v 0770 $( find $A_PUB_FOLDER/$A_USER -type d )
        chmod -v u+s $( find $A_PUB_FOLDER/$A_USER -type d )
step 8
    step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
    step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
    step 8-a as user2 create test file in $A_PUB_FOLDER/user1

step 9
print acl for user1 and user2

Code:
MY-SERVER-LINUX:~ # getfacl /d_pub_folder
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_user_test1_03.txt
# owner: user_test1
# group: users
user::rw-
group::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test2_04.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2/test_user_test2_03.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

=+=+=+=+=+=+=+=+=+=+=+=+=+=

Quote:
Originally Posted by jim mcnamara View Post
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:

Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

does not work
same comments as above.

My script in pseudo code :

Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )



test script : acl_sample_10.sh
see details : SUSE Paste

su to root

for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
        chmod -v 1770 $( find $A_PUB_FOLDER -type d )
step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
    step 5-a  create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
    step 5-b
        chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
        chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
    step 7-a
        create sub folder $A_PUB_FOLDER/$A_USER
    step 7-b
        chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
        chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 8
    step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
    step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
    step 8-c as user2 ; create test file in $A_PUB_FOLDER/user1

step 9
print acl for user1 and user2

Code:
MY-SERVER-LINUX:~ # getfacl /d_pub_folder
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_user_test1_03.txt
# owner: user_test1
# group: users
user::rw-
group::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test2_04.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2/test_user_test2_03.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

Any help _is welcome
Sponsored Links
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Linux More UNIX and Linux Forum Topics You Might Find Helpful
Thread Thread Starter Forum Replies Last Post
Trouble setting up a shared folder 14952john UNIX for Dummies Questions & Answers 3 09-10-2012 09:17 AM
command to connect the shared folder thelakbe Shell Programming and Scripting 1 08-17-2011 10:33 PM
See shared folder protocomm Shell Programming and Scripting 2 10-13-2010 08:46 AM
mounting shared folder at boot manustone Ubuntu 0 04-16-2010 04:57 AM
can folder shared with NFS (/usr/) tunjin Filesystems, Disks and Memory 0 02-19-2010 12:09 PM



All times are GMT -4. The time now is 01:14 PM.