I have an application user on my system that wants accesses to these file systems as such:
rwx:
/SAPO
/SAPS12
/R3_888
/R3_888B
/R3_888F
/R3_888R
r:
/usr/sap
these are the existing FS permissionswnerships:
Code:
[root@H99A100 ~]# ls -ld /SAPO
drwxrwxr-x 64 ZODCIFUSR ODCgrp 12288 Nov 25 11:02 /SAPO
[root@H99A100 ~]# ls -ld /SAPS12
drwxrwxr-x 5 s12adm ODCgrp 4096 Nov 7 13:49 /SAPS12
[root@H99A100 ~]# ls -ld /R3_888
drwxrwxr-x 129 s12adm ODCgrp 4096 Nov 10 09:56 /R3_888
[root@H99A100 ~]# ls -ld /R3_888B
drwxrwxr-x 31 s12adm ODCgrp 4096 Nov 7 15:03 /R3_888B
[root@H99A100 ~]# ls -ld /R3_888F
drwxrwxr-x 43 s12adm ODCgrp 4096 Nov 21 17:16 /R3_888F
[root@H99A100 ~]# ls -ld /R3_888R
drwxrwxr-x 4 s12adm ODCgrp 4096 Nov 7 15:03 /R3_888R
[root@H99A100 ~]# ls -ld /usr/sap
drwxrwxr-x 5 s12adm sapsys 4096 Oct 25 22:16 /usr/sap
the user:
Code:
[root@H99A100 ~]# id ZODCIFUSR
uid=2020(ZODCIFUSR) gid=200(ODCgrp) groups=200(ODCgrp),0(root) context=root:system_r:unconfined_t:SystemLow-SystemHigh
so how do i go by providing user ZODCIFUSR access to the file systems stated above without setting ACLs on the system? (or is ACLs the only way to do it?)
right now, he's in group 0, so he can pretty much access all the FS but this is just a temp workaround
I was thinking of adding the user to supplementary groups on which the FS are grouped (i.e. sapsys, ODCgrp)
please help, if ACLs is the way to do it, please let me know because i am not very good with the commands
From the looks of the list, it seems everybody has access (read access at least) to those files, not just "ZODCIFUSR".
Anyway, you can remove that user from GID 0 and it should still work fine since most of the folders also belong to GID 200.
The only "problem" I see is with /usr/sap. Either you take away permissions from the whole group and make ZODCIFUSR a member of secondary group "sapsys", or you use ACLs.
I thought of the same thing, there's no reason giving fancy restriction to the user unless he's removed from group 0, and ACL does have mysterious ways working with permissions and maskings
If I were to use ACLs, say to allow user ZODCIFUSR to have read only access for directory and files under /usr/sap, how would the command be? Is this correct?
Code:
setfacl -m d u:ZODCIFUSR /usr/sap
Also I did a bit of Googling and it says that the permissions and ownerships are inherited; even after using mv or cp -p command. Is this true?
Before you can assign an ACL, you have to make sure that the filesystem supports them:
Code:
tune2fs -l /dev/sdX/ | grep options
If you run mount you may also get the details. There should be an "acl" option somewhere in the mount options.
If it does not support ACLs, you can always remount the filesystem:
Code:
mount -o remount,acl /usr/sap
Having said so, your ACL command is almost correct:
Code:
setfacl -m d:u:ZODCIFUSR:r /usr/sap
When an ACLs (POSIX ACL) is set on a directory, all new files created inside inherit the default ACL. If for some reason you want to copy a file that has an ACL to a directory that does not use ACLs, both cp -p and mv will preserve the original ACL.
Last edited by verdepollo; 12-20-2011 at 04:59 PM..
This User Gave Thanks to verdepollo For This Post:
Thank you verdepollo, I checked my disks and the partition, none of them even show any output when i run the tune2fs -l command (output shows the result for one of the disk)
Code:
[root@H99A100 dev]# ls -lrt sd*
brw-r----- 1 root disk 8, 2 Nov 22 22:30 sda2
brw-r----- 1 root disk 8, 0 Nov 22 22:30 sda
brw-r----- 1 root disk 8, 1 Nov 22 22:31 sda1
brw-r----- 1 root disk 8, 3 Nov 25 15:14 sda3
brw-r----- 1 root disk 8, 16 Nov 28 13:46 sdb
brw-r----- 1 root disk 8, 32 Nov 28 13:46 sdc
[root@H99A100 dev]#
[root@H99A100 dev]# tune2fs -l /dev/sdb
tune2fs 1.39 (29-May-2006)
tune2fs: Bad magic number in super-block while trying to open /dev/sdb
Couldn't find valid filesystem superblock.
none of the existing FS on the system is ACL supported, as per mount command
Code:
/dev/mapper/vgSAP-lv_s12_03 on /usr/sap/trans type ext3 (rw)
I doubt the client will agree with remounting the FS with acl mount option, but would it possible to create ACL anyways, without the FS mount options being ADL enabled? What would be the consequences to this?
Thanks again for the full command, I've always been wary of ACLs
---------- Post updated at 06:45 PM ---------- Previous update was at 06:27 PM ----------
So I tested this on my test server, but the weird thing is when I did mount, all the other FS but /tmp is acl enabled, even after manually enabling acl for /tmp
Code:
my-xftp0:~ # tune2fs -l /dev/sda8
tune2fs 1.41.9 (22-Aug-2009)
Filesystem volume name: <none>
Last mounted on: <not available>
Filesystem UUID: 1d4351d3-dbf5-42b8-9b78-a29b7dcf5e9c
Filesystem magic number: 0xEF53
Filesystem revision #: 1 (dynamic)
Filesystem features: has_journal ext_attr resize_inode dir_index filetype needs_recovery sparse_super large_file
Filesystem flags: signed_directory_hash
Default mount options: (none)
Filesystem state: clean
Errors behavior: Continue
Filesystem OS type: Linux
Inode count: 655360
Block count: 2620603
Reserved block count: 131030
Free blocks: 2537308
Free inodes: 655216
First block: 0
Block size: 4096
Fragment size: 4096
Reserved GDT blocks: 639
Blocks per group: 32768
Fragments per group: 32768
Inodes per group: 8192
Inode blocks per group: 512
Filesystem created: Thu Nov 17 11:44:04 2011
Last mount time: Wed Dec 7 15:30:06 2011
Last write time: Wed Dec 7 15:30:06 2011
Mount count: 8
Maximum mount count: -1
Last checked: Thu Nov 17 11:44:04 2011
Check interval: 0 (<none>)
Reserved blocks uid: 0 (user root)
Reserved blocks gid: 0 (group root)
First inode: 11
Inode size: 256
Required extra isize: 28
Desired extra isize: 28
Journal inode: 8
Default directory hash: half_md4
Directory Hash Seed: b38a25f8-9d33-45c8-81ef-b51c55d4fba2
Journal backup: inode blocks
check out the FS in blue, they were acl enabled all along
Code:
my-xftp0:~ # mount
/dev/sda1 on / type ext3 (rw,acl,user_xattr)
proc on /proc type proc (rw)
sysfs on /sys type sysfs (rw)
debugfs on /sys/kernel/debug type debugfs (rw)
devtmpfs on /dev type devtmpfs (rw,mode=0755)
tmpfs on /dev/shm type tmpfs (rw,mode=1777)
devpts on /dev/pts type devpts (rw,mode=0620,gid=5)
/dev/sda2 on /boot/efi type vfat (rw,noexec,nosuid,nodev,gid=100,umask=0002,utf8=true)
/dev/sda4 on /home type ext3 (rw,acl,user_xattr)
/dev/sda7 on /opt type ext3 (rw,acl,user_xattr)
/dev/sda8 on /tmp type ext3 (rw)
/dev/sda5 on /usr type ext3 (rw,acl,user_xattr)
/dev/sda6 on /var type ext3 (rw,acl,user_xattr)
fusectl on /sys/fs/fuse/connections type fusectl (rw)
securityfs on /sys/kernel/security type securityfs (rw)
Sometimes ACL support is defined on the superblock, even if /proc/partitions, /etc/mtab, /etc/fstab, tune2fs, etc do not explicitly report ACL support.
I'm trying to use squid to restrict elinks' access to certain websites(only http traffic).
I have tried some configs in squid.conf but no luck. Hope someone has a bit of time to explain me how can you make these config's :)
---------- Post updated at 05:40 PM ---------- Previous update was at... (1 Reply)
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
Hi Folks,
Please help me. I am bit struck here.
Here is the OS info.
Linux ubuntu 3.0.0-12-generic #20-Ubuntu SMP Fri Oct 7 14:56:25 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux
I have a... (17 Replies)
Hi
I have requirement to create 3 new users on my server but to restrict their access to a set of particular folders.
/export/home/kapil/shared,
/export/home/kapil/shared/Folder1
/export/home/kapil/shared/Folder2
These folders should be accessible to all the 3 users and to me too.... (1 Reply)
Hi All!
I would like to know if there is any specific way by which I can restrict access to apecific users (ip addresses).
OS : Red hat linux
Thanks!
nua7 (6 Replies)
Hi!
i'm using FreeBSD 6.2 and hosting my pc to frens
in particular of sensitive information being saved to the PC, i would like to know is it possible for me to restrict user access to their /home dir. only?
and also, i wanted to restrict them listing files under /etc
thanks all! (10 Replies)
Hi All,
It will be very great if you can help me in this issue. Thanks in advance.
I need to enable FTP on a solaris9 server. I need to create a new user some "xxxxxx" and he can only FTP the files to and from between /tftpboot directory and network devices. Other users should not... (8 Replies)
Hi all,
I am using RHEL 5.0
I need a user say test to have full access to two directories, say /tmp1 & /tmp2 only other than his home directory.
I do not want to change his login shell which is ksh or bash by default.
Moreover, he should not even have read access of other directories.
... (10 Replies)
Hi
Is there any way to restrict the TCP-IP port usage.
I want to restrict TCP-IP port 1500/1550 to the oracle osuser.
Tanks in advance.
Remi (2 Replies)