On 08/31/2010 12:42 PM, Stuart Jansen wrote:
> If there aren't any files yet:
>
> setfacl -m u:john:rwx,u:james:rwx /home/shared/
> setfacl -m d:u:john:rwx,d:u:james:rwx /home/shared/
>
> If there are files:
>
> find /home/shared/ -type f \
> | xargs setfacl -m u:john:rw,u:james:rw
> find /home/shared/ -type d \
> | xargs setfacl -m u:john:rwx,u:james:rwx
> find /home/shared/ -type d \
> | xargs setfacl -m d:u:john:rwx,d:u:james:rwx
>
>
This can also be done in blanket fashion with the '-R' or '--recursive'
flags. Unless of course you do want different permissions for files
versus directories.
If the permissions just aren't working even with these well-thought out
ACL examples provided, there are two other limitations on ACLs.
Named users and named groups (ie, not the file/directory owner and
owning group) are limited by:
(1) the owning group's permissions, and
(2) the ACL "mask" permissions , if present
So if you have a file with unix 700 permissions, you can try to give
james and john any permission combination you want, and that '---' unix
group permission will kill their access entirely. If the owning unix
group has 'rw-', can will have no higher permissions than 'rw-' no
matter what their named ACL says. They can have less, but not more.
The mask permissions are similar; they specify a maximum permission that
can be granted to a named user or group. This would allow the owning
group to have full 'rwx' perms, while all named users and groups might
be limited by the mask to a maximum of 'r-x'. If it is limited by the
mask, getfacl will show a comment to the right of each ACL like '#
effective r-x'. If the user ACL was 'rw-' and the mask was 'r-x', the
comment would show '# effective r--'.
Don't confuse umask with ACL mask; umask specifies a number to be
subtracted from the unix permssions of a newly created entry (subtracted
from 777 for a file, and 666 for a directory). The umask cannot be
enforced as the user can change the umask at any time, and applies only
to plain-old unix permissions. It applies to all new files across all
mounted filesystems in the current processes environment, but is
superseded by default ACLs when present.
The directory's default ACL applies to new files/directories created in
that directory, which is why cp automatically inherits the ACLs as the
file copies are created. A mv will not inherit, since all it's doing is
moving a file around in a directory tree, not creating a new file. This
is occasionally a source of confusion.
--------------------
BYU Unix Users Group
http://uug.byu.edu/
The opinions expressed in this message are the responsibility of their
author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG.
___________________________________________________________________
List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
