On Tue, Aug 31, 2010 at 5:28 PM, Daniel Fussell <[email protected]> wrote:
> On 08/31/2010 12:42 PM, Stuart Jansen wrote: > > If there aren't any files yet: > > > > setfacl -m u:john:rwx,u:james:rwx /home/shared/ > > setfacl -m d:u:john:rwx,d:u:james:rwx /home/shared/ > > > > If there are files: > > > > find /home/shared/ -type f \ > > | xargs setfacl -m u:john:rw,u:james:rw > > find /home/shared/ -type d \ > > | xargs setfacl -m u:john:rwx,u:james:rwx > > find /home/shared/ -type d \ > > | xargs setfacl -m d:u:john:rwx,d:u:james:rwx > > > > > This can also be done in blanket fashion with the '-R' or '--recursive' > flags. Unless of course you do want different permissions for files > versus directories. > > If the permissions just aren't working even with these well-thought out > ACL examples provided, there are two other limitations on ACLs. > > Named users and named groups (ie, not the file/directory owner and > owning group) are limited by: > (1) the owning group's permissions, and > (2) the ACL "mask" permissions , if present > > So if you have a file with unix 700 permissions, you can try to give > james and john any permission combination you want, and that '---' unix > group permission will kill their access entirely. If the owning unix > group has 'rw-', can will have no higher permissions than 'rw-' no > matter what their named ACL says. They can have less, but not more. > > The mask permissions are similar; they specify a maximum permission that > can be granted to a named user or group. This would allow the owning > group to have full 'rwx' perms, while all named users and groups might > be limited by the mask to a maximum of 'r-x'. If it is limited by the > mask, getfacl will show a comment to the right of each ACL like '# > effective r-x'. If the user ACL was 'rw-' and the mask was 'r-x', the > comment would show '# effective r--'. > > Don't confuse umask with ACL mask; umask specifies a number to be > subtracted from the unix permssions of a newly created entry (subtracted > from 777 for a file, and 666 for a directory). The umask cannot be > enforced as the user can change the umask at any time, and applies only > to plain-old unix permissions. It applies to all new files across all > mounted filesystems in the current processes environment, but is > superseded by default ACLs when present. > > The directory's default ACL applies to new files/directories created in > that directory, which is why cp automatically inherits the ACLs as the > file copies are created. A mv will not inherit, since all it's doing is > moving a file around in a directory tree, not creating a new file. This > is occasionally a source of confusion. > <http://uug.byu.edu/mailman/listinfo/uug-list> > We did something similar to this for our samba server when setting up a new directory: setfacl -r -m d:u:myuser:rwx,u:myuser:rwx,d:g:mygroup1:rwx,g:mygroup1:rwx:d:g:mygroup2:rx,g:mygroup2:rx folder This is much faster when you are having to set permissions on may files. It also worked with Windows that were joined the Active Directory (linux box joined as well) to be able to modify the permissions except for the owner and group owner. Be aware that if you are using quotas that only the owner and group owner is used. For user shares, I usually made the user the owner with the sticky bit and root as the group and usually used 770. For group spaces, I put the person in charge of the group space as the owner and the group as the group owner with 770 as well (unless everyone should read then 776). YMMV. Robert LeBlanc
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info (unsubscribe here): http://uug.byu.edu/mailman/listinfo/uug-list
