File Server Permission Woes

Ruckus · 2008-08-30 22:39:29

Ok, I have a pretty simple setup.

I have a single 200gb drive formatted to ext3 and mounted at /mnt/media:

fstab wrote:

/dev/sdb1 /mnt/media ext3 defaults,users,acl 0 1

I have the group sticky bit set and all newly created files are automatically owned by group 'media'. Now I want all members of 'media' to have full access to this mount. E.g, user1 creates/modifys file /mnt/media/bumfum, user2 can modify/delete file /mnt/media/bumfum.

I used ACL (setfacl) 'setfacl -R -m group:media:rwx /mnt/media'

getfacl: Removing leading '/' from absolute path names
# file: mnt/media/
# owner: root
# group: media
user::rwx
group::rwx
group:media:rwx
mask::rwx
other::r-x

And it did change all of the permissions of existing files, but I was under the impression that new files would inherit this, instead all new files are only writable by the owner.

Right now, new files are owned by group media, but their access is:

[george@gcomp media]$ getfacl testfile
# file: testfile
# owner: george
# group: media
user::rw-
group::r--
other::r--

Any ideas on what I'm missing here? This is also a samba share with the following options:

[media]
   comment = Media
   path = /mnt/media
   valid users = george arroneva
   public = no
   writable = @media
   printable = no

rine · 2008-08-31 18:08:13

That's what defaults are for.

setfacl -m default:group:media:rwx /mnt/media/

All files created under /mnt/media/ then inherit the ACL, all directories created inherit the ACL and the default ACL.

Ruckus · 2008-09-06 07:31:06

rine wrote:

That's what defaults are for.
setfacl -m default:group:media:rwx /mnt/media/
All files created under /mnt/media/ then inherit the ACL, all directories created inherit the ACL and the default ACL.

Ah, thankyou, that explains it.

Alethos · 2008-09-28 04:34:41

I'm having trouble with this. Either implementing it or figuring it out or...both?

Say on my server I create a directory I want to manage via acl's.

mkdir /test
chown root /test
chgrp users /test
chmod 770 /test
setfacl default:user:root:rwx /test
setfacl default:group:newgroup:rwx /test

Say user1 goes to that directory, creates anything (directory, file) under permissions it says owend by "user1" not "root" and groups is "users" not "newgroup" therefore whoever created the new directory within "test" is the only one who has rights to change the attributes of it. Where am I getting confused/messing up?

Ruckus · 2008-09-28 07:08:27

Alethos wrote:

I'm having trouble with this. Either implementing it or figuring it out or...both?
Say on my server I create a directory I want to manage via acl's.
mkdir /test
chown root /test
chgrp users /test
chmod 770 /test
setfacl default:user:root:rwx /test
setfacl default:group:newgroup:rwx /test
Say user1 goes to that directory, creates anything (directory, file) under permissions it says owend by "user1" not "root" and groups is "users" not "newgroup" therefore whoever created the new directory within "test" is the only one who has rights to change the attributes of it. Where am I getting confused/messing up?

The same thing I was I think, default just controls directorys or vice-versa, therefore you have to set both.

setfacl -R default:user:root:rwx /test
setfacl -R user:root:rwx /test
setfacl -R default:group:newgroup:rwx /test
setfacl -R group:newgroup:rwx /test

I threw the -R in there for any files that may already exist.

rine · 2008-09-28 13:53:47

Alethos wrote:

I'm having trouble with this. Either implementing it or figuring it out or...both?
Say on my server I create a directory I want to manage via acl's.
mkdir /test
chown root /test
chgrp users /test
chmod 770 /test
setfacl default:user:root:rwx /test
setfacl default:group:newgroup:rwx /test
Say user1 goes to that directory, creates anything (directory, file) under permissions it says owend by "user1" not "root" and groups is "users" not "newgroup" therefore whoever created the new directory within "test" is the only one who has rights to change the attributes of it. Where am I getting confused/messing up?

This is the normal behavior. Setting defaults means that the files and directories created under the directory inherit the ACL. It has nothing to do with which user or groups owns that files. That makes your "setfacl default:user:root:rwx /test: totally useless, as root has access to everything by default.What you are looking for is setgid (google for it). Then all files created in the directory get a specified gid. Before you wonder: under linux it is not possible to use the uid for that, meaning that you can't set default owners, just default owning groups.

Unfortunately not everything is possible with ACLs (at least as far as I know). When you have ACL defaults for a directory and create new files and directories everything works fine. But when you cp -p or mv files into that directory, they keep the ACL they had before and don't inherit. This is annoying me because I have some directories shared with samba for my roommate. I would be glad if someone had a solution for this problem. If there is none I guess I just have to make a cronjob to set the ACL every few minutes.

Another thing I don't know about is when someone is in several different groups. Let's say user1 is in groupr and grouprw. groupr only has read permissions for a file, grouprw has read and write permissions, all set via ACL. What permissions does user1 have now? My guess is that he has read and write permissions but I'll have to test that.

BTW:
chown root:users /test is shorter than chown root /test + chgrp users /test

Ruckus wrote:

The same thing I was I think, default just controls directorys or vice-versa, therefore you have to set both.
setfacl -R default:user:root:rwx /test
setfacl -R user:root:rwx /test
setfacl -R default:group:newgroup:rwx /test
setfacl -R group:newgroup:rwx /test
I threw the -R in there for any files that may already exist.

See what I wrote above. Doing stuff with ACL and root makes no sense (and you're missing the -m option)

Last edited by rine (2008-09-28 13:56:52)

Alethos · 2008-09-28 17:50:45

rine wrote:

This is the normal behavior. Setting defaults means that the files and directories created under the directory inherit the ACL. It has nothing to do with which user or groups owns that files. That makes your "setfacl default:user:root:rwx /test: totally useless, as root has access to everything by default.What you are looking for is setgid (google for it). Then all files created in the directory get a specified gid. Before you wonder: under linux it is not possible to use the uid for that, meaning that you can't set default owners, just default owning groups.

Ah, that makes sense. Root - yeah, I know I was just using root to test. I wasn't aware it wasn't possible...further reading shows no default uid for Unix/Linux but possible in BSD. That's too bad. I wonder why there isn't a simple solution for this. It would be nice to be able to set default user and group id's that all child directories and files inherit whether they be moved, copied or created.

rine wrote:

Unfortunately not everything is possible with ACLs (at least as far as I know). When you have ACL defaults for a directory and create new files and directories everything works fine. But when you cp -p or mv files into that directory, they keep the ACL they had before and don't inherit. This is annoying me because I have some directories shared with samba for my roommate. I would be glad if someone had a solution for this problem. If there is none I guess I just have to make a cronjob to set the ACL every few minutes.
Another thing I don't know about is when someone is in several different groups. Let's say user1 is in groupr and grouprw. groupr only has read permissions for a file, grouprw has read and write permissions, all set via ACL. What permissions does user1 have now? My guess is that he has read and write permissions but I'll have to test that.

Good question. Before I start dinking around with that, I need to figure out what's best for my setup...setgid's or ACL's.

rine wrote:

BTW:
chown root:users /test is shorter than chown root /test + chgrp users /test

Thanks for that tidbit!

Ruckus · 2008-09-28 17:51:11

The information above and in this post http://bbs.archlinux.org/viewtopic.php?id=38126 should be all you need. There is no point in setting the ACL for root. If the group allows them access it is doesnt matter.

rine · 2008-09-28 19:38:26

Alethos wrote:

Good question. Before I start dinking around with that, I need to figure out what's best for my setup...setgid's or ACL's.

I don't know your setup. But if you want to be flexible, I recommend ACL. It might seem a little confusing at first (especially that, in ACL terms, named users are in the group class) but it doesn't take that long to understand it.

Ruckus wrote:

The information above and in this post http://bbs.archlinux.org/viewtopic.php?id=38126 should be all you need. There is no point in setting the ACL for root. If the group allows them access it is doesnt matter.

Well there is a similar problem, just tested it. Creating files and copying files into that directory works fine. But when I move a file there, it's gid is still the old one.

Ruckus · 2008-10-26 04:38:07

rine wrote:

Alethos wrote:
Good question. Before I start dinking around with that, I need to figure out what's best for my setup...setgid's or ACL's.
I don't know your setup. But if you want to be flexible, I recommend ACL. It might seem a little confusing at first (especially that, in ACL terms, named users are in the group class) but it doesn't take that long to understand it.
Ruckus wrote:
The information above and in this post http://bbs.archlinux.org/viewtopic.php?id=38126 should be all you need. There is no point in setting the ACL for root. If the group allows them access it is doesnt matter.
Well there is a similar problem, just tested it. Creating files and copying files into that directory works fine. But when I move a file there, it's gid is still the old one.

I used the sticky bit for that problem. I guess you could call it a combination of both or w/e.

pelle.k · 2009-04-06 16:06:01

When you have ACL defaults for a directory and create new files and directories everything works fine. But when you cp -p or mv files into that directory, they keep the ACL they had before and don't inherit.

That's what i'm wondering. See, i have /var/www (with ACL) set up so that i may administer it using my normal credentials, but when i copy directories there, the mask in not what i set it to be by default.
The idea of setting up a cronjob to "correct" these permissions seems like a "hack" to me, so i would prefer a proper fix.
The directories i copy doesn't even have an ACL to begin with, but that goes for new directories (in /var/www) as well, and since new dirs get a default ACL, one would think this would be true for copied dirs as well.
help?

pelle.k · 2009-04-06 18:06:22

Never mind. It seems inheriting default masks to copied/moved files is not supported in the POSIX specification of ACL.
There is only one way around it; to have the ACL mask on the source file/directory set before it's copied. In my book, that kind of defeats the purpose of a default mask.
Anyway, here's a short discussion about it; http://www.linux.com/feature/138169
EDIT; added a link that does a good job at explaining this limitation.
http://www.mattb.net.nz/blog/2007/07/09 … -problems/

Last edited by pelle.k (2009-04-06 21:35:28)

Arch Linux

#1 2008-08-30 22:39:29

File Server Permission Woes

#2 2008-08-31 18:08:13

Re: File Server Permission Woes

#3 2008-09-06 07:31:06

Re: File Server Permission Woes

#4 2008-09-28 04:34:41

Re: File Server Permission Woes

#5 2008-09-28 07:08:27

Re: File Server Permission Woes

#6 2008-09-28 13:53:47

Re: File Server Permission Woes

#7 2008-09-28 17:50:45

Re: File Server Permission Woes

#8 2008-09-28 17:51:11

Re: File Server Permission Woes

#9 2008-09-28 19:38:26

Re: File Server Permission Woes

#10 2008-10-26 04:38:07

Re: File Server Permission Woes

#11 2009-04-06 16:06:01

Re: File Server Permission Woes

#12 2009-04-06 18:06:22

Re: File Server Permission Woes

Board footer