ADDENDUM: ACL question

From: Brewer, Edward (BREWERE@OD.NIH.GOV)
Date: Wed Jul 24 2002 - 15:22:27 EDT

• Next message: DSL: "converting alpha 800 to a headless workstation"
• Previous message: Adametz, Bluejay: "Debate wanted: mount points or symlinks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Admins,

        As usual there came an answer after I figured out my original
question, that summed it all up and helped craft a better way to accomplish
what I want.

Email correspondence from Ann Majeske

"Brewer, Edward" wrote:
 
 Ann,
 
         Thanks, I found it also in the Tru64 5.1 manual. I was
attempting
 to use acl's to force all new files created by the owner of the directory
to
 read only.
 Example
 drwxr-x--- bogus dba bogus
 
 I then set
 setacl -d -u user:bogus:r-- bogus
 setacl -d -u group:dba:rw- bogus
 
 then cd to bogus
 there I copied a file from /var/tmp/ called before.txt
 -rw-r--r-- root system before.txt
 
 it resulted with what I posted...
 
 thanks for your reply,
Lee

>From ann:

One tricky thing about the default ACLs is that they are required
by the specification to contain the three base entries (i.e. the
permission bits) in addition to the entries that you set specifically.
If you don't supply these entries they default to the current
permission bits of the directory, which probably isn't what you
want files to inherit! So, if you set the default ACL as follows
it will probably do what you want:
  setacl -d -u user::r--,group::r--,other::r-- bogus
Of course, the owner of the file always has the capability of
changing the ACL (as well as the permission bits), so this will
only work if the owner doesn't decide to go change the ACL or
the permission bits on his own. Also, remember that in UNIX the
ability to delete a file is based on the write permission of the
directory containing the file, not the file itself. So if a user
has permission to create a file in a directory he also has
permission to delete any file in that directory, even if the file
is set read-only.

Ann

Summary:

I am very use to the old unix permission scheme, so with ACL's I miss the
forest for the trees...
I never thought of just using
setacl -d -u user::r--
I thought user::, group::, and other:: were only managed by the old scheme.

Thanks again,

Lee Brewer

• Next message: DSL: "converting alpha 800 to a headless workstation"
• Previous message: Adametz, Bluejay: "Debate wanted: mount points or symlinks"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:48:47 EDT