group still getting "Permission denied" after ACL added to directory with setfacl

Latest response

I had problem using setfacl for group to access directory /subdirectory of other user at RHEL 7.2 (and 6.7 as well) . Followings are my screen shots after each change
first I used "setfacl -b myApp/" to remove all previous settings and start over
[user1@localhost ~]$ tail -10 /etc/group
....
user1:x:1002:user1
user2:x:1003:user2
user3:x:1004:user3
ncuser:x:1005:user3,user2

[user1@localhost ~]$ setfacl -Rm g:ncuser:wrX myApp/
[user1@localhost ~]$ getfacl myApp/

file: myApp/

owner: user1

group: user1

user::rwx
group::rwx
group:ncuser:rwx
mask::rwx
other::r-x

switch to user2

[user2@localhost ~]$ touch /neet/user1/myApp/a
touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

switch back user1

[user1@localhost ~]$ setfacl -Rm d:g:ncuser:wrX myApp/
[user1@localhost ~]$ getfacl myApp/

file: myApp/

owner: user1

group: user1

user::rwx
group::rwx
group:ncuser:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:ncuser:rwx
default:mask::rwx
default:other::r-x

switch to user2

[user2@localhost ~]$ touch /neet/user1/myApp/a
touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

[user2@localhost ~]$ cd /neet/user1/myApp/data
bash: cd: /neet/user1/myApp/data: Permission denied

switch to user1

[user1@localhost ~]$ find myApp -perm /111 -exec setfacl -m g:ncuser:rwX {} \;
[user1@localhost ~]$ find myApp -not -perm /111 -exec setfacl -m g:ncuser:rw {} \;
[user1@localhost ~]$ getfacl myApp/

file: myApp/

owner: user1

group: user1

user::rwx
group::rwx
group:ncuser:rwx
mask::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:ncuser:rwx
default:mask::rwx
default:other::r-x

switch to user2

[user2@localhost ~]$ touch /neet/user1/myApp/a
touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

Above were tested in my virtual RHEL 7.2 and I repeated the same scripts on physical RHEL 6.7, and turn out the same result. I checked with many sites online, they all referred to the same setfacl script. However, if I setfacl the same myApp with user2 (or user3) u:user2:rwX myApp/, the rule worked, meaning user2 could touch, cp or edit a file under myApp/

CC
Log in to join the conversation

Responses

CS Community Member 38 points
4 May 2016 2:04 PM

Can you as the user2 access each of the directories above MyApp as that may be where they are denied?

thomas.jones2@dodiis.mil's picture Guru 6435 points
4 May 2016 3:12 PM

I'm really having a hard time parsing the text you copied from your terminal session. Unless you put what you paste into a code-style block, this site's Markdown interpreter will munge its presentation. See the Formatting Help link (or Google around for MarkDown Syntax` - Daring Fireball's will probably be one of your first hits - it's pretty easy to follow).

That said, if you only set an ACL on the directory, any files with existing permissions/ACLs will not get updated by default. You would have to set both a default ACL on the directory and recursively update the ACLs on files/directories hosted under the directory you set the ACL on. If you only do the former, it will only effect permissions/ACLs on files/directories created after the setfacl operation. Doing the latter ensures that files/directories that existed prior to the setfacl operation also get updated.

CC Community Member 47 points
4 May 2016 4:08 PM

Apologize for the format of my posting. I just cut and pasted my screen shot to your post field, did not realize that there is a format require. back to your answer. If I followed your reply correctly, you are saying that any file or sub dir of pre-setfacl won't be affected. So if I have a subdir under myApp already then I setfacl group on myApp, I CAN NOT create a new file under myApp and myApp/subdir? from my trial of my posting), I tried to touch a new file to myApp, after I setfacl to group which user2 belongs to, but I got permission denied. So I created another new sundir -common under the myApp/, then setfacl -Rm g:ncuser:wrx /neet/user1/myApp/common/, setfacl -Rm d:g:ncuser:wrx /neet/user1/myApp/common/as well While I logged into user2, I still got "permission denied" as I did "touch /neet/user1/myApp/common/a"

thomas.jones2@dodiis.mil's picture Guru 6435 points
4 May 2016 4:24 PM

No worries on the formatting - it's just one of the vargaries of a MarkDown enabled posting-system (and this one's interpretation of MarkDown seems a touch "off" at any rate).

At any rate, what I'm saying is that if you have:

  • /dir1
  • /dir1/fileA
  • /dir1/dir2

The default ACL only effects newly-created files. Thus, if after your setfacl you created /dir2/fileB or /dir1/dir3, those new objects should have the default permissions applied. Whereas, if your setfacl operation is only done against /dir1, but you did not take care to also apply it to /dir1/fileA and/or /dir1/dir2, you would not have changed the permissions on those objects.

CC Community Member 47 points
4 May 2016 4:35 PM

It seems that user 2 can only act on pre-existing file or dir under the /user1/myApp and any subdir which is been applied with setfacl. So in that case, how a user2 who is member of ncuser group can CREATE a new file in the /user1/myApp or /user1/myApp/common which has been setfacl with ncuser group?

CS Community Member 38 points
4 May 2016 4:47 PM

You can try this to set the ACLs for the group. It will allow full access to files in the directory location. This will also set a file mask for any file created after. That will be affected by the umask as well.

setfacl -Rm d:g:ncuser:rwx /neet/user1/myAppS

To remove write access to regular files that are exicuable in the location run the coammds below.

find /neet/user1/myAppS -perm /111 -exec setfacl -m g:ncuser:rw {} \; find /neet/user1/myAppS -not -perm /111 -exec setfacl -m g:ncuser:rw {} \;

CS Community Member 38 points
4 May 2016 4:53 PM

Sorry one correction the command to not allow the ACL group to write to regular files is. The command in the previous post would allow them to write but not execute.

find /neet/user1/myAppS -perm /111 -exec setfacl -m g:ncuser:rx {} \;

CC Community Member 47 points
4 May 2016 9:55 PM

Sorry I did not reply promptly (meeting ). However, I tried your script and it still did not work as

$ vim ~/myApp/common/test.me
$ chmod o+w ~/myApp/common/test.me

$ setfacl -Rm d:g:ncuser:wrx /neet/user1/myApp
$ getfacl /neet/user1/myApp/
getfacl: Removing leading '/' from absolute path names
# file: neet/user1/myApp/
# owner: user1
# group: user1
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx
default:group:ncuser:rwx
default:mask::rwx
default:other::r-x

# switch to user2
[user2@localhost ~]$ touch /neet/user1/myApp/a
touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied
[user2@localhost ~]$ touch /neet/user1/myApp/common/a
touch: cannot touch ‘/neet/user1/myApp/common/a’: Permission denied
[user2@localhost ~]$ less /neet/vana/myApp/common/test.me
/neet/vana/myApp/common/test.me: Permission denied

selinux is off

CS Community Member 38 points
5 May 2016 7:15 PM

I would start with removeing all the ACLs that are there now as they do not seem to be right.

setfacl -b -R /neet/user1/myApp

Add ACLs to allow access to the directory structure.

setfacl -Rm d:g:user2:rwx /neet

If you do not was the user to be able to create or edit files in the upper directories remove write access find /neet -not -perm /111 -exec setfacl -m g:user2:r {} \; find /neet -perm /111 -exec setfacl -m g:user2:rx {} \;

At this point you user should have read-only access to the directories under /neet

If you removed the write access from the upper dorectories and want to allow it in myApp you can add them back with the commands.

setfacl -Rm d:g:user2:rwx /neet/user1/myApp

To grant full access to everything under myApp for the ACL group

find /neet/user1/myApp -perm /111 -exec setfacl -m g:user2:rwx {} \;

If you want to remove write access to regular files in this location that are currently executalble. This will not remove access from any directory under myApp.

find /neet/user1/myApp -type f -perm /111 -exec setfacl -m g:user2:rx {} \;

The previous command will not remove access from any directory under myApp.

CC Community Member 47 points
5 May 2016 11:16 PM

OK, I basically followed your logical, instead to apply to /neet (one direct above user1), Here were steps I did

setfacl -Rm g:ncuser:rwx /neet/user1
find /neet/user1 -not -perm /111 -exec setfacl -m g:ncuser:r {} \; 
find /neet/user1 -perm /111 -exec setfacl -m g:ncuser:rx {} \;

[user1@localhost ~]$ getfacl /neet/user1/
getfacl: Removing leading '/' from absolute path names
# file: neet/user1/
# owner: user1
# group: user1
user::rwx
group::---
group:ncuser:r-x
mask::rwx
other::---
default:user::rwx
default:group::---
default:group:ncuser:rwx
default:mask::rwx
default:other::---

[user1@localhost ~]$ getfacl /neet/user1/myApp/
getfacl: Removing leading '/' from absolute path names
# file: neet/user1/myApp
# owner: user1
# group: user1
user::rwx
group::rwx
group:ncuser:r-x
mask::rwx
other::r-x

so now when at user2 session, user2 can cd to /neet/user1/myApp even further without denied. However, there is a problem here. Even user2 (of member ncuser group) could not create or write file to any subdir of user1, user2 CAN read /view any file content under user1. What those scripts (the first one did is to allow group 'ncuser' has access to user1 and below, but no privilege to alter any thing (files etc) under user1. How can I set an acl only limit to access to myApp of user1, i.e. users of ncuser can ONLY 'view' myApp. Other subdir of user1 is invisible. At very beginning, ncgroup even did NOT have access to user1, therefore when user1 setfacl to /neet/user1/myApp, it was fruitless.

As you mentioned that to grant user2 can WRITE/CREATE any thing only under /myApp, the find /neet/user1/myApp -type f -perm /111 -exec setfacl -m g:ncuser:rx {} \; , but still NOT be able do those for other subdir under /neet/user1

Thanks for your insight knowledge of acl. I just started to acl a weeks ago. W/ your help, I understand more how the acl function.

CC Community Member 47 points
6 May 2016 6:57 PM

As I look around possible solution to my scenario, i.e. hide other subdirectories of /neet/user1/, except /neet/use1/myApp from a specific group of users, it looks like that I have to go to SELinux to manipulate for my goal. From my trial as long as at user1 setfacl -m g:ncuser:xr /neet/user1, all other subdirectories, in addition to myApp, under user1 will also be exposed and the content of those subdirectories (files and folders) can be viewed by by member of ncuser group, which is not my intention. I will scout around the SELinux, in the meantime keep my eye on setfacl just in case. Look like SELinux is my another adventure. Thanks.

CS Community Member 38 points
12 May 2016 2:53 PM

If you want a group to be able to write to a directory the group acl on the directory must have write in it. The example you posted shows it does not. the line below "group:ncuser:r-x" show that the group ncuser only has read and execute.

[user1@localhost ~]$ getfacl /neet/user1/myApp/ getfacl: Removing leading '/' from absolute path names

file: neet/user1/myApp owner: user1 group: user1

user::rwx group::rwx group:ncuser:r-x mask::rwx other::r-x

To make it so the group has write in that directory . sudo setfacl -m d:g:ncuser:rwx /neet/user1/myApp/

If you want them to be able to write to subdirectories in the location add the -R option for recursive sudo setfacl -Rm d:g:ncuser:rwx /neet/user1/myApp/

To make it so the group can modify files in that directory and it's subdirectory use the finf commands and add the write option where you want it

To make it so the group has write access to files without an execute bit set use this command. find /neet/user1/myApp -type f -not -perm /111 -exec setfacl -m g:ncuser:rw {} \;

If you want them to be able to change files (such as scripts) with and execute bit set issue this command.
find /neet/user1/myApp -type f -perm /111 -exec setfacl -m g:ncuser:rwx {}

If you want these permissions high in the directory tree just change the path. I you do not want it extend the write permission to directories below limit the find command with the -maxdepth option.

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.