problems with default ACL's

From: Joe Dierker (ja_dierker@hotmail.com)
Date: Mon Mar 10 2003 - 16:21:12 EST

• Next message: Joe Dierker: "SUMMARY: problems with default ACL's"
• Previous message: Hobbs, Richard: "Severe Solaris Install Problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Based on all I've read about the quick and helpful advice administered here,
I'm hopeful I too can get some help. I am running Solaris 8, and trying for
the first time to implement ACL's - in particular default ACL's on a
directory. So far, the only thing I've accomplished is to get frustrated.

I have three users, testuser, yesdelete and nodelete, all belonging to the
same group, testgroup. I want testuser to create files in his home dir as
needed. I then want yesdelete to be able to delete those files after some
processing. I do NOT want to receive any prompts or warnings when the
deletion occurs. I do NOT want the user nodelete to be able to delete these
files, even though he's in the same group.

I created the directory using standard mkdir command. By default, the
directory get 755 perms. I used the following command to create the default
ACL on that directory:

setfacl -m
d:u::rwx,d:g::rwx,d:o:r-x,d:m:rwx,d:u:yesdelete:rwx,d:g:testgroup:r-x
/testdir

a getfacl run against that directory then yields:

# file: /testdir
# owner: testuser
# group: testgroup
user::rwx
group::r-x #effective:r-x
mask:r-x
other:r-x
default:user::rwx
default:user:yesdelete:rwx
default:group::rwx
default:group:testgroup:r-x
default:mask:rwx
default:other:r-x

If testuser then creates a file in the directory (umask is 022 - so default
perms would be 644). A getfacl on the file gives me:

# file: testfile
# owner: testuser
# group: testgroup
user::rw-
user:yesdelete:rwx #effective:rw-
group::rw- #effective:rw-
group:testgroup:r-x #effective:r--
mask:rw-
other:r--

Based on this output, I would expect the user yesdelete (with r/w effective
perms) to be able to delete the file, while the user nodelete (as a member
of the testgroup with read only perms) to be rejected. Yet, the yesdelete
user gets a permission denied error and the file remains.

Questions:

1. What am I missing?
2. What role do umask and the default Unix perms play in the ACL
functionality?
3. Is there a really good resource that documents ACL use? The man page
for setfacl is at least incomplete. All references I have found to docs on
this mailing list are old and out of date.

Thanks in advance for your help.

Joe Dierker
_______________________________________________
sunmanagers mailing list
sunmanagers@sunmanagers.org
http://www.sunmanagers.org/mailman/listinfo/sunmanagers

• Next message: Joe Dierker: "SUMMARY: problems with default ACL's"
• Previous message: Hobbs, Richard: "Severe Solaris Install Problems"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Wed Apr 09 2008 - 23:25:58 EDT