System Administration
cancel
Showing results for 
Search instead for 
Did you mean: 

Permissions, please help....

SOLVED
Go to solution
Qcheck
Super Advisor

Permissions, please help....

When I create a file under certain directory/file system(as both names are same), why the permissions aren't the same as the directory?

The user oracle and the group dev are able to create a files under /reports directory. However, the permissions on the files created are not 775 permissions. They are creating as 644 permissions as, -rw-r--r-- 1 oracle dev 0 Feb 11 11:44 kk

Please find the configurations I did setup this morning with exactly what the production users are trying to do:

[root]# chmod -R 1775 /reports/
[root]# ls -ld /reports/
drwxrwxr-t 3 oracle dev 4096 Feb 11 11:38 /reports/
[root]# vi /etc/fstab
[root]# grep rep /etc/fstab
/dev/vg00/reportslv /reports ext3 acl 1 2
[root]#
[root]# mount -o acl /reports/
mount: /dev/vg00/reportslv already mounted or /reports busy
mount: according to mtab, /dev/mapper/vg00-reportslv is already mounted on /reports
[root]# mount -o acl,remount /reports/
[root@cognos mdw_reports]# setfacl -m u:oracle:rwx /mdw_reports/
[root]# setfacl -m g:dev:rwx /reports/
[root]# setfacl -m g:dev:rwx /reports/*
[root]# setfacl -m u:oracle:rwx /reports/*
[root]# su - oracle
$ cd /reports/
$ ls -l
total 20
drwxrwxr-t+ 2 oracle dev 16384 Feb 11 11:38 lost+found
$ touch kk
$ ls -l
total 20
-rw-r--r-- 1 oracle oinstall 0 Feb 11 11:44 kk
drwxrwxr-t+ 2 oracle dev 16384 Feb 11 11:38 lost+found
$

+++++++++++++++++++++++++++++++++++++++++++++++

I want to be able to know the solution, where the user oracle should be able to create the files with 775 permissions. I don't want to change the permissions once they are created, as files will be unlimited and tedious work to do after the fact the files were created.

Any help will be really appreciated.
6 REPLIES
Steven Schweda
Honored Contributor

Re: Permissions, please help....

> When I create a file under certain
> directory/file system(as both names are
> same), why the permissions aren't the same
> as the directory?

Why should they be? I'd expect the
permissions on a newly created file to
depend on how the file is created, not on
the permissions of the directory where it is
placed.

man umask

> [...] the user oracle should be able to
> create the files with 775 permissions [...]

Why 775 instead of, say, 664?
Matti_Kurkela
Honored Contributor
Solution

Re: Permissions, please help....

On Unix-like systems (including Linux), the basic permissions given to files created by applications will depend on the combination of two things:
- the permissions requested by the application when opening the file for writing (typically 666 or 777)
- the value of the "umask" parameter (often the default value is 022)

The permissions of the directory the file is created in can allow or prevent the file from being created, but have no effect beyond that.

(If this basic permission mechanism is insufficient, ACLs can be optionally used to extend the basic scheme. However, in most cases, ACLs are not necessary and many sysadmins won't use them at all.)

The OS will assign the actual permissions to newly-created files using this formula:

Actual_Perms = Requested_Perms AND ( NOT(umask) )

If you're unfamiliar with binary operations, you can think of it as:

Actual_Perms = Requested_Perms - umask

The standard Unix convention is that most applications will request permissions 666 (-rw-rw-rw-) when creating new files, because most files are not intended to be executable programs, just data for other programs to process. Only linkers and other special programs that produce executable files should request permissions 777 for files. This behavior is typically hardcoded in the program.

When creating directories, permissions 777 (drwxrwxrwx) are normally requested, because on directories, the x bit enables access to the contents of the directory.

So, when running using a default umask of 022, Oracle creates a new file with permissions 666. The result is 644, or -rw-r--r--, exactly as you've experienced.

If Oracle would create a directory, it would request permissions 777 for it, and the result would be a directory with permissions 755 or drwxr-xr-x.

The current umask value can be viewed with the command:

umask

and modified with:

umask

The umask is not an environment variable, but a process inherits the default umask value from its parent in the same way as environment variables.

Another Unix convention is that applications won't normally touch the umask value. This allows the user to control the permissions given to application-created files by simply making sure the umask value is correct before starting the application.

So, if you want Oracle to create files with group write permissions, make sure this command is always run before starting Oracle:

umask 002

This will cause Oracle to create files with permissions 664 (-rw-rw-r--) and directories with permissions 775 (drwxrwxr-x).

But you said you want files with permissions 775. I really must ask - why? Such a requirement would be highly exceptional.

MK
MK
Qcheck
Super Advisor

Re: Permissions, please help....

Thank you both for the responses.

Yes, I figured the umask is over-writing the acls. So I will not use the ACLs.

Checking with the application people the reason for a change.

That was one nice detail information. Thank you so much for your time. Once we figure out what the weblogic staff would like, accordingly will modify as needed. But u r right, 775 is exceptional.

Thank you again and will post if I have any other questions.

Thank you
Steven Schweda
Honored Contributor

Re: Permissions, please help....

> [...] Once we figure out what the weblogic
> staff would like, accordingly will modify
> as needed. [...]

Sometimes it can be helpful to know what you
want before you ask how to get it.
Qcheck
Super Advisor

Re: Permissions, please help....

Steven,

I know exactly what I am looking for.

The filesystem has the following permission:
[root]# ls -ld /standby
drwxr-xr-x 3 root root 4096 Feb 15 10:56 /standby
[root]#
[root]# touch tt
[root]# ls -ld tt
-rw-r--r-- 1 root root 0 Feb 15 11:05 tt
[root]# getfacl .
# file: .
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:group::r-x
default:other::r-x

[root]#

++++++++++++++++++++++++++++++++++++++++++++
So my question is, when I create a new file, why don't I get 755 permission, like the file system /standby permissions 755 and default acl?
Dennis Handly
Acclaimed Contributor

Re: Permissions, please help....

>when I create a new file, why don't I get 755 permission

As MK said, you don't get execute permission by default unless the linker creates the file.
Directories do get execute permission.
Otherwise only scripts and executables need execute permission.

Why do think you need 755?