Question on acl files and permission values.
I have a user who deploys an application using a common user ID and script. For security reasons, we are trying to get them off this common ID. However their deployment scripts fail to remove files other than the ones they themselves (user) deploy. Thus the team resorts to a common ID. My solution was to use ACL to grant RWX to all members of the group on the file system. This works after I set the command: setfacl -R -m g:guid:rwx /file/system and setfacl -R -m -d g:guid:rwx /file/system for the default value. When I display (getfacl) these values, they are verified as still correct. However after they expand their zip file again during the deployment, the files are no longer removable (permission denied) by any other member of the group except for the user completing the deployment. And the ACL values are still the same for the file system. The files are created by the developers on a Windows platform to be deployed on linux. Before: group:groupname:rwx After redeployment: group:groupname:rwx #effective:r-x <==(I need the write) How can I resolve this without having to rerun the setfacl command again? James Chaplin Systems Programmer, MVS, zVM & zLinux Base Technologies, Inc Supporting the zSeries Platform Team -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Question on acl files and permission values.
Does zip even know about acls on files? They are rather "new" and not always supported. Also, how do you set an acl on Windows? I'm fairly ignorant of that! I set acls on Linux, then use GNU tar with the correct switches to transport of z/OS UNIX. -- Trying to write with a pencil that is dull is pointless. Maranatha! John McKown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Question on acl files and permission values.
No clue on acls and windoze. Sorry. But in Linux acls are set at the filesystem level. Usually via an entry in the /etc/fstab or with the tune2fs command. So when a tar file is extracted the acls will not travel unless it is placed in a filesystem that has acls. Even if it is placed in a filesystem with acls I'm not sure how well that would work. Never actually did that. Test it and let us know. -pete ### any technology distinguishable from magic is insufficiently advanced ### Arthur C. Clarke -Original Message- From: Linux on 390 Port [mailto:linux-...@vm.marist.edu] On Behalf Of John McKown Sent: Monday, May 18, 2009 6:22 PM To: LINUX-390@VM.MARIST.EDU Subject: Re: Question on acl files and permission values. Does zip even know about acls on files? They are rather "new" and not always supported. Also, how do you set an acl on Windows? I'm fairly ignorant of that! I set acls on Linux, then use GNU tar with the correct switches to transport of z/OS UNIX. -- Trying to write with a pencil that is dull is pointless. Maranatha! John McKown -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390 This e-mail is confidential. If you are not the intended recipient, you must not disclose or use the information contained in it. If you have received this e-mail in error, please tell us immediately by return e-mail to email.cont...@sentry.com and delete the document. E-mails containing unprofessional, discourteous or offensive remarks violate Sentry policy. You may report employee violations by forwarding the message to email.cont...@sentry.com. No recipient may use the information in this e-mail in violation of any civil or criminal statute. Sentry disclaims all liability for any unauthorized uses of this e-mail or its contents. This e-mail constitutes neither an offer nor an acceptance of any offer. No contract may be entered into by a Sentry employee without express approval from an authorized Sentry manager. Warning: Computer viruses can be transmitted via e-mail. Sentry accepts no liability or responsibility for any damage caused by any virus transmitted with this e-mail. -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
Re: Question on acl files and permission values.
How are the files zipped? How are they expanded? Perhaps the zip program being used does not preserve permission bits .. or the zip/unzip needs the proper incantation to do it. Using 'tar' or other compression tools that are *nix based might help if the zip program being used isn't working.. Scott On Mon, May 18, 2009 at 1:37 PM, CHAPLIN, JAMES (CTR) < james.chap...@associates.dhs.gov> wrote: > I have a user who deploys an application using a common user ID and > script. For security reasons, we are trying to get them off this common > ID. However their deployment scripts fail to remove files other than the > ones they themselves (user) deploy. Thus the team resorts to a common > ID. > > My solution was to use ACL to grant RWX to all members of the group on > the file system. This works after I set the command: > setfacl -R -m g:guid:rwx /file/system and > setfacl -R -m -d g:guid:rwx /file/system for the default value. > > When I display (getfacl) these values, they are verified as still > correct. > > However after they expand their zip file again during the deployment, > the files are no longer removable (permission denied) by any other > member of the group except for the user completing the deployment. And > the ACL values are still the same for the file system. > > The files are created by the developers on a Windows platform to be > deployed on linux. > > Before: > group:groupname:rwx > > After redeployment: > group:groupname:rwx #effective:r-x <==(I need the > write) > > How can I resolve this without having to rerun the setfacl command > again? > > James Chaplin > Systems Programmer, MVS, zVM & zLinux > Base Technologies, Inc > Supporting the zSeries Platform Team > > -- > For LINUX-390 subscribe / signoff / archive access instructions, > send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or > visit > http://www.marist.edu/htbin/wlvindex?LINUX-390 > -- For LINUX-390 subscribe / signoff / archive access instructions, send email to lists...@vm.marist.edu with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
