I went through the ACL threads that were posted in the past but none were matching to my requirement . Hence starting a new thread .
Challenge :
user : a
group : Test1
user: b
group: Test2
Say under user a i create dir /tmp/debug with the privilege of 755 and also setfacl as setfacl -m d:g:Test2:rwx /tmp/debug . Why is that i am still not able to create any files in the directory as the user b even though the group Test2 is been granted full access .
below is the demo for the same :
Oracle Linux Server release 6.2
Code:
[root tmp]# groupadd test1
[root tmp]# groupadd test2
[root tmp]# useradd -g test1 a
[root tmp]# useradd -g test2 b
[root tmp]# passwd a
Changing password for user a.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root tmp]# passwd b
Changing password for user b.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root tmp]# su - a
[a ~]$ cd /tmp
[a tmp]$ id a
uid=517(a) gid=1039(test1) groups=1039(test1)
[a tmp]$ id b
uid=518(b) gid=1042(test2) groups=1042(test2)
[a tmp]$ mkdir debug
[a tmp]$ ls -tld debug/
drwxr-xr-x 2 a test1 4096 Aug 10 16:02 debug/
[a tmp]$ chmod 755 debug
[a tmp]$ ls -tld debug/
drwxr-xr-x 2 a test1 4096 Aug 10 16:02 debug/
[a tmp]$ id
uid=517(a) gid=1039(test1) groups=1039(test1)
[a tmp]$ setfacl -m d:g:test2:rwx /tmp/debug
[a tmp]$ getfacl /tmp/debug
# file: tmp/debug
# owner: a
# group: test1
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:group:test2:rwx
default:mask::rwx
default:other::r-x
[a tmp]$ id
uid=517(a) gid=1039(test1) groups=1039(test1)
[a tmp]$ su - b
Password:
[b ~]$ cd /tmp/debug/
[b debug]$ touch 1
touch: cannot touch `1': Permission denied
[b debug]$ pwd
/tmp/debug
.
Any early response would be highly appreciated.
Thanks,
leo
Moderator's Comments:
Please view this code tag video for how to use code tags when posting code and data.
Last edited by Corona688; 08-10-2012 at 12:47 PM..
Hi all,
I've just been handled the responsibility for a FTP-site. Having no experiens of UNIX at all. And now one of my users needs to have full access to the usr directory and all it's subdirectories, don't know why just trying to do what the boss tells me. The type of UNIX is FreeBSD and the... (4 Replies)
Hello genius..!
what do y'all think of these questions...? help appreciated...!
Access Control Lists and privileges....
# Why both file ACLs and user permissions/privileges (not to be confused with rights in ACLs) are used in Windows access control (why not just use one of these)?
# In... (1 Reply)
Hi, I want to know what does the "effective" comment means in the output of the getfacl and whether it has to do with the acl mask...
thanks (0 Replies)
Hello,
I try to find what year HP-UX got support for ACL (Access Control List)? I know that HP-UX was the first Unix with ACL support, but it is very hard to find the information on when that occured.
So anyone here know when that did happen?
Any answers are appreciated,
/eXpander (1 Reply)
we have two Solaris 10 servers with same configuration and settings. We have hard mounted the NFS with the version 4.
In one of the server the newer ACL commands are working fine (chmod and ls -v) whereas in another only posix (getfacl and setfacl alone is working) when we try ls -V in in that... (13 Replies)
Folks,
Solaris 10 issue
When I add a new directory to a path, I only get the "group@" line in the ACL
The parent directory ACL is
drwxrws---+ 12 root teama 12 Jul 18 10:31 .
owner@:rwxp-DaARWc---:------:allow
group@:rwxp-DaARWc--s:fd----:allow
... (0 Replies)
hi,
i am facing problem with acls,
as a root i logged in and applied acl for directory(dir5),by using command
setfacl -m u:user1:rwx dir5
but when i logged in as user1 i am not able to access that folder even though i applied full permission to that directory as a root.can any one help me on... (2 Replies)
All,
I am trying to clear ACL's completely from all files and folders in a directory. I can get the directories as cleared as:
# owner: root
# group: root
user::rwx
group::r-x
other::rwx
default:user::rwx
default:group::r-x
default:other::r-x
What ever I do I can't remove the... (4 Replies)
Discussion started by: hburnswell
4 Replies
LEARN ABOUT OPENSOLARIS
getfacl
getfacl(1) User Commands getfacl(1)NAME
getfacl - display discretionary file information
SYNOPSIS
getfacl [-ad] file...
DESCRIPTION
For each argument that is a regular file, special file, or named pipe, the getfacl utility displays the owner, the group, and the Access
Control List (ACL). For each directory argument, getfacl displays the owner, the group, and the ACL and/or the default ACL. Only directo-
ries contain default ACLs.
The getfacl utility may be executed on a file system that does not support ACLs. It reports the ACL based on the base permission bits.
With no options specified, getfacl displays the filename, the file owner, the file group owner, and both the ACL and the default ACL, if it
exists.
OPTIONS
The following options are supported:
-a Displays the filename, the file owner, the file group owner, and the ACL of the file.
-d Displays the filename, the file owner, the file group owner, and the default ACL of the file, if it exists.
OPERANDS
The following operands are supported:
file The path name of a regular file, special file, or named pipe.
OUTPUT
The format for ACL output is as follows:
# file: filename
# owner: uid
# group: gid
user::perm
user:uid:perm
group::perm
group:gid:perm
mask:perm
other:perm
default:user::perm
default:user:uid:perm
default:group::perm
default:group:gid:perm
default:mask:perm
default:other:perm
When multiple files are specified on the command line, a blank line separates the ACLs for each file.
The ACL entries are displayed in the order in which they are evaluated when an access check is performed. The default ACL entries that may
exist on a directory have no effect on access checks.
The first three lines display the filename, the file owner, and the file group owner. Notice that when only the -d option is specified and
the file has no default ACL, only these three lines are displayed.
The user entry without a user ID indicates the permissions that are granted to the file owner. One or more additional user entries indi-
cate the permissions that are granted to the specified users.
The group entry without a group ID indicates the permissions that are granted to the file group owner. One or more additional group
entries indicate the permissions that are granted to the specified groups.
The mask entry indicates the ACL mask permissions. These are the maximum permissions allowed to any user entries except the file owner, and
to any group entries, including the file group owner. These permissions restrict the permissions specified in other entries.
The other entry indicates the permissions that are granted to others.
The default entries may exist only for directories. These entries indicate the default entries that are added to a file created within the
directory.
The uid is a login name or a user ID if there is no entry for the uid in the system password file, /etc/passwd. The gid is a group name or
a group ID if there is no entry for the gid in the system group file, /etc/group. The perm is a three character string composed of the let-
ters representing the separate discretionary access rights: r (read), w (write), x (execute/search), or the place holder character -. The
perm is displayed in the following order: rwx. If a permission is not granted by an ACL entry, the place holder character appears.
If you use the chmod(1) command to change the file group owner permissions on a file with ACL entries, both the file group owner permis-
sions and the ACL mask are changed to the new permissions. Be aware that the new ACL mask permissions may change the effective permissions
for additional users and groups who have ACL entries on the file.
In order to indicate that the ACL mask restricts an ACL entry, getfacl displays an additional tab character, pound sign (#), and the
actual permissions granted, following the entry.
EXAMPLES
Example 1 Displaying file information
Given file foo, with an ACL six entries long, the command
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r--
group::r--
mask::rw-
other::---
Example 2 Displaying information after chmod command
Continue with the above example, after chmod 700 foo was issued:
host% getfacl foo
would print:
# file: foo
# owner: shea
# group: staff
user::rwx
user:spy:---
user:mookie:r-- #effective:---
group::---
mask::---
other::---
Example 3 Displaying information when ACL contains default entries
Given directory doo, with an ACL containing default entries, the command
host% getfacl -d doo
would print:
# file: doo
# owner: shea
# group: staff
default:user::rwx
default:user:spy:---
default:user:mookie:r--
default:group::r--
default:mask::---
default:other::---
FILES
/etc/passwd system password file
/etc/group group file
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
+-----------------------------+-----------------------------+
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
+-----------------------------+-----------------------------+
|Availability |SUNWcsu |
+-----------------------------+-----------------------------+
|Interface Stability |Evolving |
+-----------------------------+-----------------------------+
SEE ALSO chmod(1), ls(1), setfacl(1), acl(2), aclsort(3SEC), group(4), passwd(4), attributes(5)NOTES
The output from getfacl is in the correct format for input to the setfacl -f command. If the output from getfacl is redirected to a file,
the file may be used as input to setfacl. In this way, a user may easily assign one file's ACL to another file.
SunOS 5.11 5 Nov 1994 getfacl(1)
08-10-2012
