Red Hat Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

Runtimes

Integration and Automation

  • Comments

    • group still getting "Permission denied" after ACL added to directory with setfacl

    Posted on

    I had problem using setfacl for group to access directory /subdirectory of other user at RHEL 7.2 (and 6.7 as well) . Followings are my screen shots after each change
    first I used "setfacl -b myApp/" to remove all previous settings and start over
    [user1@localhost ~]$ tail -10 /etc/group
    ....
    user1:x:1002:user1
    user2:x:1003:user2
    user3:x:1004:user3
    ncuser:x:1005:user3,user2

    [user1@localhost ~]$ setfacl -Rm g:ncuser:wrX myApp/
    [user1@localhost ~]$ getfacl myApp/

    file: myApp/

    owner: user1

    group: user1

    user::rwx
    group::rwx
    group:ncuser:rwx
    mask::rwx
    other::r-x

    switch to user2

    [user2@localhost ~]$ touch /neet/user1/myApp/a
    touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

    switch back user1

    [user1@localhost ~]$ setfacl -Rm d:g:ncuser:wrX myApp/
    [user1@localhost ~]$ getfacl myApp/

    file: myApp/

    owner: user1

    group: user1

    user::rwx
    group::rwx
    group:ncuser:rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:group::rwx
    default:group:ncuser:rwx
    default:mask::rwx
    default:other::r-x

    switch to user2

    [user2@localhost ~]$ touch /neet/user1/myApp/a
    touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

    [user2@localhost ~]$ cd /neet/user1/myApp/data
    bash: cd: /neet/user1/myApp/data: Permission denied

    switch to user1

    [user1@localhost ~]$ find myApp -perm /111 -exec setfacl -m g:ncuser:rwX {} \;
    [user1@localhost ~]$ find myApp -not -perm /111 -exec setfacl -m g:ncuser:rw {} \;
    [user1@localhost ~]$ getfacl myApp/

    file: myApp/

    owner: user1

    group: user1

    user::rwx
    group::rwx
    group:ncuser:rwx
    mask::rwx
    other::r-x
    default:user::rwx
    default:group::rwx
    default:group:ncuser:rwx
    default:mask::rwx
    default:other::r-x

    switch to user2

    [user2@localhost ~]$ touch /neet/user1/myApp/a
    touch: cannot touch ‘/neet/user1/myApp/a’: Permission denied

    Above were tested in my virtual RHEL 7.2 and I repeated the same scripts on physical RHEL 6.7, and turn out the same result. I checked with many sites online, they all referred to the same setfacl script. However, if I setfacl the same myApp with user2 (or user3) u:user2:rwX myApp/, the rule worked, meaning user2 could touch, cp or edit a file under myApp/

    by

    points

    Responses

    Red Hat LinkedIn YouTube Facebook X, formerly Twitter

    Quick Links

    Help

    Site Info

    Related Sites

    © 2026 Red Hat