I have looked though the answers to similar questions and refreshed my memory on ACLs by reading tutorials on Linux ACLs. Yet, I am still stumped. What have I done wrong, or what do I not understand?
I have a file system mounted with the acl option.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1267617760527a7d6166">[email protected]</a>:/srv$ grep srv /etc/fstab UUID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx /srv ext4 relatime,nodev,nosuid,user_xattr,acl 0 2
The user, user, is a member of the devs group.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="087d7b6d7a4860677b7c">[email protected]</a>:/srv$ id uid=1000(user) gid=1000(user) groups=1000(user),24(cdrom),25(floppy),27(sudo),29(audio),30(dip),44(video),46(plugdev),1001(devs)
The umask is normal.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="93e6e0f6e1d3fbfce0e7">[email protected]</a>:/srv$ umask 0022
A directory is created; group ownership and permissions are set.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="abded8ced9ebc3c4d8df">[email protected]</a>:/srv$ sudo mkdir lib; sudo chmod 0750 lib && sudo chgrp www-data lib <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="2a5f594f586a4245595e">[email protected]</a>:/srv$ ls -l total 24 drwxr-x--- 2 root www-data 4096 May 21 18:00 lib drwx------ 2 root root 16384 Feb 17 18:22 lost+found drwxr-xr-x 3 root www-data 4096 May 21 17:25 www
An ACL is applied to the new directory.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="4e3b3d2b3c0e26213d3a">[email protected]</a>:/srv$ sudo setfacl -d -m g:devs:5 lib/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="86f3f5e3f4c6eee9f5f2">[email protected]</a>:/srv$ getfacl lib # file: lib # owner: root # group: www-data user::rwx group::r-x other::--- default:user::rwx default:group::r-x default:group:devs:r-x default:mask::r-x default:other::---
I think I should be able to get a directory listing, but I cannot.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="cfbabcaabd8fa7a0bcbb">[email protected]</a>:/srv$ ls lib/ ls: cannot open directory lib/: Permission denied
Answers:
Thank you for visiting the Q&A section on Magenaut. Please note that all the answers may not help you solve the issue immediately. So please treat them as advisements. If you found the post helpful (or not), leave a comment & I’ll get back to you as soon as possible.
Method 1
Gah – facepalm! The -d switch is used for new files and directories within the lib directory. An explicit ACL must be defined for the lib directory itself.
Remove the ACLs.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="b5c0c6d0c7f5dddac6c1">[email protected]</a>:/srv$ sudo setfacl -b lib <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8afff9eff8cae2e5f9fe">[email protected]</a>:/srv$ ls -l total 24 drwxr-x--- 2 root www-data 4096 May 21 19:06 lib drwx------ 2 root root 16384 Feb 17 18:22 lost+found drwxr-x--- 3 root www-data 4096 May 21 17:25 www
Set the default ACL.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="d8adabbdaa98b0b7abac">[email protected]</a>:/srv$ sudo setfacl -d -m g:devs:5 lib/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="a9dcdaccdbe9c1c6dadd">[email protected]</a>:/srv$ getfacl lib # file: lib # owner: root # group: www-data user::rwx group::r-x other::--- default:user::rwx default:group::r-x default:group:devs:r-x default:mask::r-x default:other::---
Test if the ACL allows members of the devs group to use ls.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="403533253200282f3334">[email protected]</a>:/srv$ ls lib/ ls: cannot open directory lib/: Permission denied
Add a new ACL for the directory, without the -d (default) switch.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6f1a1c0a1d2f07001c1b">[email protected]</a>:/srv$ sudo setfacl -m g:devs:5 lib/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6217110710220a0d1116">[email protected]</a>:/srv$ ls lib/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="5c292f392e1c34332f28">[email protected]</a>:/srv$ ls -l lib/ total 0
Copy a file into the lib directory.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="7f0a0c1a0d3f17100c0b">[email protected]</a>:/srv$ sudo cp /etc/hostname lib/ <a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="6510160017250d0a1611">[email protected]</a>:/srv$ cat lib/hostname host
Show the permissions.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="8cf9ffe9fecce4e3fff8">[email protected]</a>:/srv$ ls -l lib/ total 4 -rw-r-----+ 1 root root 6 May 21 19:15 hostname
Show the ACLs.
<a href="https://getridbug.com/cdn-cgi/l/email-protection" class="__cf_email__" data-cfemail="1560667067557d7a6661">[email protected]</a>:/srv$ getfacl lib/hostname # file: lib/hostname # owner: root # group: root user::rw- group::r-x #effective:r-- group:devs:r-x #effective:r-- mask::r-- other::---
I am happy to receive any further insight about this.
All methods was sourced from stackoverflow.com or stackexchange.com, is licensed under cc by-sa 2.5, cc by-sa 3.0 and cc by-sa 4.0