[root@osb-vagrant opt]# umask 0022 [root@osb-vagrant opt]# cd /opt [root@osb-vagrant opt]# mkdir pippo [root@osb-vagrant opt]# ls -ltra ... drwxr-xr-x 2 root root 4096 Jul 30 11:36 pippo ... [root@osb-vagrant opt]# getfacl /opt/pippo # file: pippo # owner: root # group: root user::rwx group::r-x other::r-x
Since I have umask 0022, when I create a directory it's as per defaults read only for all other users. For instance, user "soa" can't create a file in /opt/pippo:
[soa@osb-vagrant pippo]$ cd /opt/pippo [soa@osb-vagrant pippo]$ touch ciao.txt touch: cannot touch `ciao.txt': Permission denied
But this can be changed!
[root@osb-vagrant opt]# setfacl -m u:soa:rwx /opt/pippo [root@osb-vagrant opt]# getfacl /opt/pippo getfacl: Removing leading '/' from absolute path names # file: opt/pippo # owner: root # group: root user::rwx user:soa:rwx group::r-x mask::rwx other::r-x
notice here the new element "user:soa:rwx".
At this point, user "soa" can create a file in /opt/pippo ! But no other user can...
See also http://www.computerhope.com/unix/usetfacl.htm for more advanced examples.
In Puppet:
exec {'/usr/bin/setfacl -R -dm u::rwx,g::rwx,o::rwx /zdata/':
require => Mount["${inbound_messages_path}"],
}
No comments:
Post a Comment