System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Access list to directory is not working

SOLVED
Go to solution
David_Ortiz
Occasional Advisor

Access list to directory is not working

Hello everyone,

 

I am struggling with an access list applied to a directory and I could use some help. My problem is that the directory seems to be not catching its default entries correctly and the "class" parameter is not updated.

 

I'm going to explain myself better:

first I create a test directory under my home:

drwxr-xr-x   2 dos80935   users           96 Jan 16 10:37 test

 

I would need this directory to be accessed and overwritted by myself (dos80935) and mrm00441 so, according to 5.4.9 of this:

http://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c01944073

 

i should create a new default entry for mrm00441 which I do:

$ setacl -m d:u:mrm00441:7 test
$ getacl test
# file: test
# owner: dos80935
# group: users
user::rwx
group::r-x
class:r-x
other:r-x
default:user:mrm00441:rwx

 

However, when I try to create a new file under /home/dos80935/test using the mrm00441 user I am not able to:

$ pwd
/home/dos80935/test
$ id
uid=900(mrm00441) gid=20(users)
$ touch file1
touch: file1 cannot create

 

Despite that, if I create a file under that directory with the owner (dos80935) and I check its permissions I can see that mrm00441 only have read permissions over that file, not taking into account its default entry at the access list previously created:

 

$ ll
total 0
-rw-r--r--+ 1 dos80935 users 0 Jan 16 10:42 file2
$ getacl file2
# file: file2
# owner: dos80935
# group: users
user::rw-
user:mrm00441:rwx #effective:r--
group::r--
class:r--
other:r--

 

Obviously i am doing something wrong, but I can't see why the class parameter remains set only to r when it should be rwx according to the previously created rule to give mrm00441 the intended permissions.

 

Thank you for your help, best regards.

 

2 REPLIES
PeterHe
Occasional Visitor
Solution

Re: Access list to directory is not working

Hi David

 

There are two things here.

First you will need to set the same ACL on the directory itself, not only the default.

 

setacl -m u:mrm00441:7 test

 

Then mrm00441 will be able to create files.

 

Secondly there is an error in the implementation of ACL.

Depening on umask.

If you create the directory with umask 022 and a file, mrm00441 will not have write access

but if you try to set the same ACL manually it will work.

 

setacl -m u:mrm00441:7 test/file1

 

This ACL is already set, but setting it again will reset something in the ACL, so mrm00441 have write access.

 

If you create the directory with umask 7, it will work as expected.

 

$ umask 022

$ mkdir testacl1
$ setacl -m d:u:mrm00441:7 testacl1

$ setacl -m u:mrm00441:7 testacl1
$ touch testacl1/file

 

mrm00441 is able to create files, but have no write access to file

 

$ setacl -m u:mrm00441:7 testacl1

 

mrm00441 will have write access to file


$ umask 07
$ mkdir testacl2
$ setacl -m d:u:mrm00441:7 testacl2
$ setacl -m u:mrm00441:7 testacl2
$ touch testacl2/file

 

mrm00441 is able to create files, and have write access

 

/Peter

David_Ortiz
Occasional Advisor

Re: Access list to directory is not working

Hello Peter,

 

thank you for your response, it explained my problem. However, I can't use access list for my final purpose, because I was intended to use access list in order to manage NFS resources which are being written by many different users from different applications.

 

At our environment every user has at their umask 022 so, if I log off with my user and later log on, the mask will be again 022. Each time that I create a new file with using that mask, its permissions will be 644, so mrm0041 won't be able to overwritte them, despite the access list is properly configured.

 

I would expect the access list to ignore the file permissions or to overwritte them if necessary, but sadly it seems that the permissions assigned when a user creates a file or a directory are stronger that the permissions assigned by the access lists themselves.

 

Thank you again, best regards.

 

David.