Login or Register to Ask a Question and Join Our Community


Shell Programming and Scripting

Create a shared folder using acl

Login to Discuss or Reply to this Discussion in Our Community

 
Thread Tools Search this Thread
Top Forums Shell Programming and Scripting Create a shared folder using acl
# 1  
Old 04-14-2017
Create a shared folder using acl
Hello.
I need some help to create a shared folder.

A group 'publicuser' has been created.
A user 'publicuser' has been created ( no login, no home) and belongs to group 'publicuser'.
A public folder '/doc' has been created and owner is publicuser:publicuser.
  1. All users belonging to group 'publicuser' can create folder under'/doc'.
  2. All users belonging to group 'publicuser' can create folder in other user's folder as far as they reside under '/doc'. User's folder are just non private folders.
  3. All users belonging to group 'publicuser' can read, write, modify any type of files everywhere Independently of whom is the owner, as far as they reside under '/doc'.
  4. Only owner can delete objects.
  5. File cannot be executed.

I have try this piece of code, but I cannot go thru folders.

Code:
# ---
# step 4 CREATE PUBLIC FOLDER
# ---

for A_PUB_FOLDER in "$PUB_GOUPS" ; do

    if [[ "$A_PUB_FOLDER" == "/" ]] ; then
        echo "ERROR - THIS PUBLIC FOLDER IS NOT DEFINED : \"$A_PUB_FOLDER\" "
        echo "EXITING ..."
        exit $E_BAD_PARAM
    fi
#
echo
echo "--------------------------"
echo "Doing : $A_PUB_FOLDER"
echo "--------------------------"
echo
#
#
# Remove acl
#
    CMD="setfacl -b $A_PUB_FOLDER"  #//remove acl
    echo "COMMAND : $CMD"
    ${CMD}
#
    mkdir -pv $A_PUB_FOLDER
    chmod -v +t $A_PUB_FOLDER                   #//set sticky bit
    chmod -v +x $A_PUB_FOLDER                   #//set execute bit
#
     chown -Rv publicuser:publicuser $A_PUB_FOLDER
#
    setfacl -R -m u::rw- $A_PUB_FOLDER  #//set user to rw-
    setfacl -R -m g::r-- $A_PUB_FOLDER  #//set group to r--
    setfacl -R -m g:publicuser:rw- $A_PUB_FOLDER  #//set group publicuser to rw-
    setfacl -R -m o::--- $A_PUB_FOLDER  #//set other to ---
    # Set default
    setfacl -R -d -m u::rw- $A_PUB_FOLDER   #//set user rw- default
    setfacl -R -d -m o::--- $A_PUB_FOLDER   #//set other ---  default
    setfacl -R -d -m g::r-- $A_PUB_FOLDER  #//set group to r-- default
    setfacl -R -d -m g:publicuser:rw- $A_PUB_FOLDER  #//set group publicuser to rw- default
#
done
#

The execute bit is not set on the folders.

Any help is welcome
Last edited by rbatte1; 04-21-2017 at 05:14 AM.. Reason: Converted textual numbered list to formatted numbered list with LIST=1 tags
# 2  
Old 04-14-2017
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:
Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

# 3  
Old 04-16-2017
Quote:
Originally Posted by jim mcnamara
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:
Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

  1. chmod 1770 seems not to be sufficient
    1. ==> Folder not accessible
    2. files belongs to user_name:users ( users is universal group for all users ) not to 'user_name:publicuser'

  2. Changing to chmod 3770 seems not fully sufficient
    1. files belongs to 'user_name:publicuser' ==> OK
    2. But user can edit files only with vi in a terminal session not with kate ( gui ).

ImageError : SUSE Paste

see full logs : SUSE Paste

Any help is welcome

---------- Post updated at 18:28 ---------- Previous update was at 18:05 ----------

Forget previous thread

I think user cannot write because the files have effective mask : r-- on files.

Code:
user_test2@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: -st
user::rwx
group::---
group:publicuser:rwx
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:publicuser:rwx
default:mask::rwx
default:other::---

user_test2@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1/test_creation_user_test1_01.txt
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_creation_user_test1_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:r--
mask::r--
other::r--

user_test2@MY-SERVER-LINUX:~>

After logout and log in again, It is not possible to edit files that you don't own yourself with vi or kate.
I suppose because the effective mask is r--

Any help is welcome

---------- Post updated at 18:50 ---------- Previous update was at 18:28 ----------

I have read that it is possible to define a mask.
I have a try and give news.

---------- Post updated at 20:35 ---------- Previous update was at 18:50 ----------

Have set mask
Code:
    setfacl -R -m u::rwx $A_PUB_FOLDER   #//set  user to rwx
    setfacl -R -m g::--- $A_PUB_FOLDER   #//set group to ---
    setfacl -R -m o::--- $A_PUB_FOLDER   #//set other to ---
    setfacl -R -m g:publicuser:rwx /$A_PUB_FOLDER  #//set group publicuser to rwx
    # Set default
    setfacl -R -d -m u::rwx $A_PUB_FOLDER   #//set user  rwx default
    setfacl -R -d -m o::--- $A_PUB_FOLDER   #//set other --- default
    setfacl -R -d -m g::--- $A_PUB_FOLDER   #//set group --- default
    setfacl -R -d -m g:publicuser:rwx /$A_PUB_FOLDER  #//set group publicuser to rwx default
    # set mask
    setfacl -R -m m::rwx $A_PUB_FOLDER   #//set  mask to rwx
    setfacl -R -d m::rwx $A_PUB_FOLDER   #//set  mask to rwx default
    #

Nothing new.
OK ==> user not in group publicuser cannot access folders owned by publicuser.
OK ==> user in group publicuser can create/edit files they owned in any folders owned by publicuser.
bad ==> A user (belonging to publicuser) in it's own folder cannot edit files created by other users (belonging to group publicuser).
bad ==> until A user (belonging to publicuser)edit bor create a file, the file mask return to r--
Code:
user_test1@MY-SERVER-LINUX:~> getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/new_file_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:r--
mask::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test1_01.txt
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_02.txt
# owner: user_test2
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_02.txt~
# owner: user_test1
# group: publicuser
user::rw-
group::---
group:publicuser:rwx            #effective:rw-
mask::rw-
other::---

# file: d_pub_folder/user_test1/test_user_test2_03.txt
# owner: user_test1
# group: publicuser                                                                                                                            
user::rw-                                                                                                                                      
group::---                                                                                                                                     
group:publicuser:rwx            #effective:r--
mask::r--
other::r--

Last edited by rbatte1; 04-21-2017 at 05:35 AM.. Reason: Converted from textual numbered lists to formatted numbered lists with LIST=1 & LIST=a tags
# 4  
Old 04-21-2017
Why are ACL's being used here? Is this a network filesystem or other such thing where it might be required?
# 5  
Old 04-25-2017
Quote:
Originally Posted by Corona688
Why are ACL's being used here? Is this a network filesystem or other such thing where it might be required?
For the moment it is on a simple linux multi-user box.

As said at post #1
Quote:
A group 'publicuser' has been created.
A user 'publicuser' has been created ( no login, no home) and belongs to group 'publicuser'.
A public folder '/doc' has been created and owner is publicuserSmilieublicuser.
  1. All users belonging to group 'publicuser' can create folder under'/doc'.
  2. All users belonging to group 'publicuser' can create folder in other user's folder as far as they reside under '/doc'. User's folder are just non private folders.
  3. All users belonging to group 'publicuser' can read, write, modify any type of files everywhere Independently of whom is the owner, as far as they reside under '/doc'.
  4. Only owner can delete objects.
  5. File cannot be executed.
You can 't do that with just chmod. You need ACL.
Everybody can do any action in the folder /doc ( or any sub-folders). But in that folder ( or sub-folders ) they may not delete any object they do not owned.
# 6  
Old 04-25-2017
Quote:
Originally Posted by jcdole
Everybody can do any action in the folder /doc ( or any sub-folders). But in that folder ( or sub-folders ) they may not delete any object they do not owned.
You can do that with just chmod, ACL's not needed. Set the folder U+S, just like they do on /tmp/, and you will only be able to delete your own files. G+S has a different meaning, it forces the group of created files to be the same group as the directory.

[edit] Jim already suggested this a week ago.
# 7  
Old 04-26-2017
Quote:
Originally Posted by Corona688
You can do that with just chmod, ACL's not needed. Set the folder U+S, just like they do on /tmp/, and you will only be able to delete your own files. G+S has a different meaning, it forces the group of created files to be the same group as the directory.

[edit] Jim already suggested this a week ago.
As I have already said that does not do what I want

Using G+S in PUBLIC SHARED FOLDER
a) deletion of not owned files forbidden : OK
b) creation in user's folder : OK
c) creation in other user's folder : OK
d) editing files owned by others in its own user's folder : KO access denied
d) editing files owned by others in any other folder ( owned or not owned ) : KO access denied

files are marked as
user::rw-
group::r--
other::r--

My test script in pseudo code :
Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod u+s $( find $A_PUB_FOLDER -type d )


test script : acl_sample_11.sh
see details : SUSE Paste


su to root

for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
        chmod -v 0770 $( find $A_PUB_FOLDER -type d )
        chmod -v u+s $( find $A_PUB_FOLDER -type d )

step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
    step 5-a  create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
    step 5-b
        chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
        chmod -v 0770 $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
        chmod -v u+s $( find $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
    step 7-a
        create sub folder $A_PUB_FOLDER/$A_USER
    step 7-b
        chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
        chmod -v 0770 $( find $A_PUB_FOLDER/$A_USER -type d )
        chmod -v u+s $( find $A_PUB_FOLDER/$A_USER -type d )
step 8
    step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
    step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
    step 8-a as user2 create test file in $A_PUB_FOLDER/user1

step 9
print acl for user1 and user2
Code:
MY-SERVER-LINUX:~ # getfacl /d_pub_folder
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_user_test1_03.txt
# owner: user_test1
# group: users
user::rw-
group::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test2_04.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2
# owner: publicuser
# group: publicuser
# flags: s--
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2/test_user_test2_03.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

=+=+=+=+=+=+=+=+=+=+=+=+=+=

Quote:
Originally Posted by jim mcnamara
Try using the sticky bit, like the way the /tmp directory is set up.
Apply the stick bit to all directories, and set ownership of them to publicuser.
acl's will work but are complex as you found.

Example:
Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )

does not work
same comments as above.

My script in pseudo code :
Code:
chown -R publicuser:publicuser $A_PUB_FOLDER
chmod 1770 $( find $A_PUB_FOLDER -type d )



test script : acl_sample_10.sh
see details : SUSE Paste

su to root

for each public folders
step 1 remove all acl
step 2 remove all files and subdiretories
step 3 create $A_PUB_FOLDER
step 4 chown -Rv publicuser:publicuser $A_PUB_FOLDER
        chmod -v 1770 $( find $A_PUB_FOLDER -type d )
step 5 if $A_PUB_FOLDER == $A_SPECIFIC_PUB_FOLDER
    step 5-a  create another subfolder $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
    step 5-b
        chown -Rv publicuser:publicuser $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER
        chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 7 for some user in list
    step 7-a
        create sub folder $A_PUB_FOLDER/$A_USER
    step 7-b
        chown -Rv publicuser:publicuser $A_PUB_FOLDER/$A_USER
        chmod -v 1770 $( $A_SPECIFIC_PUB_FOLDER/SOME_FOLDER -type d )
step 8
    step 8-a su to user1 ; create test file in $A_PUB_FOLDER/user1
    step 8-b su to user2 ; create test file in $A_PUB_FOLDER/user2
    step 8-c as user2 ; create test file in $A_PUB_FOLDER/user1

step 9
print acl for user1 and user2
Code:
MY-SERVER-LINUX:~ # getfacl /d_pub_folder
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test1/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test1/test_user_test1_03.txt
# owner: user_test1
# group: users
user::rw-
group::r--
other::r--

# file: d_pub_folder/user_test1/test_user_test2_04.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2
# owner: publicuser
# group: publicuser
# flags: --t
user::rwx
group::rwx
other::---

MY-SERVER-LINUX:~ # getfacl /d_pub_folder/user_test2/*
getfacl: Removing leading '/' from absolute path names
# file: d_pub_folder/user_test2/test_user_test2_03.txt
# owner: user_test2
# group: users
user::rw-
group::r--
other::r--

Any help _is welcome
Login or Register to Ask a Question

Previous Thread | Next Thread

10 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

Use programs in shared folder except ones in my home dir

(0 Replies)
Discussion started by: beca123456
0 Replies

2. UNIX for Dummies Questions & Answers

ACL (POSIX and NFSv4) Support over NFS shared drives on different Unix platforms

Hello, I have a question regarding ACLs and their availability across different Unix platforms via NFS share. If I have an AIX/FreeBSD/Solaris/HP-UX client that has an nfs share from a different system mounted on it, will the ACLs on the nfs share be processed properly? My guess is that as... (2 Replies)
Discussion started by: bstring
2 Replies

3. UNIX for Dummies Questions & Answers

Trouble setting up a shared folder

I'm trying to set up a folder in my home directory that will be shared with another user but for some reason it is not working this is what I've done, I have tried two different ways using ACL's and chown/chgrp etc I set up a group called say: sharedgroup and added both my user (john) and fred... (3 Replies)
Discussion started by: 14952john
3 Replies

4. Shell Programming and Scripting

command to connect the shared folder

Hello, I am using unix through cygwin application in my office machine and here i encounter a problem which i want copy certain big files from a shared folder shared folder--\\Parwvm000154\docs to my local machine c:/ I'm really honor if i clarified with the command. Regards... (1 Reply)
Discussion started by: thelakbe
1 Replies

5. Shell Programming and Scripting

See shared folder

Hello, I want to list all shared folder in terminal in local. I haven't found the command for, i'm on bash in mac os x. Thanks (2 Replies)
Discussion started by: protocomm
2 Replies

6. UNIX for Advanced & Expert Users

Set ACL automatically for new folder/objects

Hi, In our bank production environment - IBM AIX 5.3, we have a particular parent folder inside which an application creates temporary folders & files. These temp folders exist for the lifetime of the user session within the application and then get deleted automatically. Since these temp... (1 Reply)
Discussion started by: deepaksinbox
1 Replies

7. Ubuntu

mounting shared folder at boot

Hi All Everytime a reboot my machine "hostB" I have to mount a shared (with machine "hostA" ) NFS folder giving this command sudo mount hostA:/sharedFolder /sharedFolder How to use fstab in order to do this automatically? I should say hostA:/sharedFolder /sharedFolder ... (0 Replies)
Discussion started by: manustone
0 Replies

8. Filesystems, Disks and Memory

can folder shared with NFS (/usr/)

hello i wanted to ask you i try to setting: pc server name: A pc user name: B pc user name: C server A is opensuse 11.2 with kde 4.3.5 and last kernel so i create NFS server, i think.. folder (/usr is all softwares and library) because server A can share to PC A. because all... (0 Replies)
Discussion started by: tunjin
0 Replies

9. Shell Programming and Scripting

how to create folder and sub-folder in UNIX ?

Hi all, I have the following code to check the whether the folder is exist in my system. if ; then echo 'folder exist'; else echo 'folder not exist'; mkdir /home/batch/testing ; fi When I remove the "testing" folder from "/home/batch" directory, the code is working fine. But when I... (2 Replies)
Discussion started by: suigion
2 Replies

10. Shell Programming and Scripting

Need help to create ACL

Hi, I generated a script that will create the list of dir/sub-dir and will allow to create the same on diff server. this is what i have done : #!/bin/ksh # Script to migrate the directory between the two servers. # Ver 0.1 # Author Krishna. D # c - create and e - extract directory if ;... (1 Reply)
Discussion started by: krishnadvn
1 Replies
Login or Register to Ask a Question