0

From a bash shell script, I am creating a folder and storing the mysqldump there. I am sure that there is no command related to permissions in my script. To allow an other user to access these files, I have used ACL, but when he tried to access the file, he got permission denied issue, and issue is with effective permissions of ACL.

The owner of the directory is ola and new user who is trying to access the folder is uber and folder is gettaxi

Permissions of Parent directory

[/omega/olabooktmp]# getfacl .
# file: .
# owner: ola
# group: ola
user::rwx
user:uber:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:uber:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Permissions of Child directory

[/omega/olabooktemp]# getfacl gettaxi/
# file: gettaxi/
# owner: ola
# group: ola
user::rwx
user:uber:rwx       #effective:---
group::r-x          #effective:---
mask::---
other::---
default:user::rwx
default:user:uber:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

I see like for new directory gettaxi mask permissions are mask::---, so I think this is causing issue, but I am unable to understand completely and how to solve this issue.

Any suggestions greatly appreicated.

Thank you.

Improve this question
1

4 Answers 4

Reset to default
0

You can change the mask with the following command:

setfacl -m m:rwx filename/directory
Improve this answer
0

If I understand well your question, user ola is creating files in directory: /omega/olabooktmp/gettaxi

and you want to restrict access to thoses files, but granting access to user uber.

Note: /omega/olabooktmp/gettaxi is owned by ola

Lets start without ACL yet:

ls -ld /omega/olabooktmp/gettaxi
drwxr-x--- 2 ola ola 4096 mars  21 08:16 /omega/olabooktmp/gettaxi

In order to grant rwx permission to uber using ACL you can use:

setfacl -m u:uber:rwx,d:u:uber:rwX,o:--- /omega/olabooktmp/gettaxi

Which will allow user uber rights rwx on folder /omega/olabooktmp/gettaxi, and also grant rwx as default the d: and X. It grants permission on files previously presents in the folder and give inherited grants to file. And also remove other all permission to other for restriction, of course. Owner still have its own permission.

The result:

getfacl /omega/olabooktmp/gettaxi
getfacl: Removing leading '/' from absolute path names
# file: omega/olabooktmp/gettaxi
# owner: ola
# group: ola
user::rwx
user:uber:rwx
group::r-x
mask::rwx
other::---
default:user::rwx
default:user:uber:rwx
default:group::r-x
default:mask::rwx
default:other::---

Testing:

ola creates some files (run as root):

su - ola -c "for i in {1..3}; do date > /omega/olabooktmp/gettaxi/$RANDOM; done"

Result:

ls -l /omega/olabooktmp/gettaxi/
total 32
-rw-r----- 1 ola users 32 mars  21 08:43 17606
-rw-r----- 1 ola users 32 mars  21 08:43 22286
-rw-r----- 1 ola users 32 mars  21 08:42 31484
-rw-r----- 1 ola users 32 mars  21 08:43 31848
-rw-r----- 1 ola users 32 mars  21 08:42 667
-rw-r----- 1 ola users  4 mars  21 08:16 one
-rw-r----- 1 ola users  6 mars  21 08:16 three
-rw-r----- 1 ola users  4 mars  21 08:16 two

Can't be accessed by a normal user (run as root):

su - debian -c "ls -l /omega/olabooktmp/gettaxi"
ls: cannot open directory '/omega/olabooktmp/gettaxi': Permission denied

But uber can (run as root):

su - uber -c "ls -l /omega/olabooktmp/gettaxi"
total 32
-rw-r----- 1 ola users 32 Mar 21 08:43 17606
-rw-r----- 1 ola users 32 Mar 21 08:43 22286
-rw-r----- 1 ola users 32 Mar 21 08:42 31484
-rw-r----- 1 ola users 32 Mar 21 08:43 31848
-rw-r----- 1 ola users 32 Mar 21 08:42 667
-rw-r----- 1 ola users  4 Mar 21 08:16 one
-rw-r----- 1 ola users  6 Mar 21 08:16 three
-rw-r----- 1 ola users  4 Mar 21 08:16 two

If you mangle your ACL with some tests, you can remove all acl with:

setfacl -R -b /omega/olabooktmp/gettaxi

And start again.

Improve this answer
0

Yes the mask is lowering the permissions. The effective permission is the and of a permission and the mask. (user:: (the owning user), and other are not affected by the mask).

You can change the mask with: e.g. setfacl -m m:r-x file-name.

When you do an ls -l, if the mode ends with a +, then the middle mode bits (traditionally the group bits), are the mask.

Sometimes the mode bits are set according to the group bits in umask. I have not yet worked out the rules, as to when this happens, and when the default mask is used. Using cp to copy a file, seems to use the umask.

A workaround

Ensure that users have there own group, and that this is set to the default group. Then set the umask to 007.

Improve this answer
0

I suspect the behavior is a bug. I posted on this last month (see unix.stackexchange.com/questions/570795). What is happening is that the file permissions on the source file are being copied into the acl mask by the cp command. This is what I would have expected for cp -p, not cp. I found that I can do copies by using cat

cat afile > bfile

or by piping through tar

(cd A; tar -cf -)|(cd B; tar-xf -)

And the acls are respected as expected.

I also put up a bounty to have this cp behavior explained. No one explained it. I'm thinking of filing a bug report. I.e. that this should be the ´cp -p´ behavior, not the vanilla cp behavior. (And the system deducted the bounty points even though no one could provide an answer. I was surprised by that also.)

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .