Wednesday, July 30, 2014

setfacl and getfacl in action

I had no clue that in Linux you can grant specific access rights to an individual user on a file/folder, using setfacl:
[root@osb-vagrant opt]# umask
0022
[root@osb-vagrant opt]# cd /opt
[root@osb-vagrant opt]# mkdir pippo
[root@osb-vagrant opt]# ls -ltra
...
drwxr-xr-x   2 root root 4096 Jul 30 11:36 pippo
...
[root@osb-vagrant opt]# getfacl /opt/pippo
# file: pippo
# owner: root
# group: root
user::rwx
group::r-x
other::r-x


Since I have umask 0022, when I create a directory it's as per defaults read only for all other users. For instance, user "soa" can't create a file in /opt/pippo:

[soa@osb-vagrant pippo]$ cd /opt/pippo
[soa@osb-vagrant pippo]$ touch ciao.txt
touch: cannot touch `ciao.txt': Permission denied


But this can be changed!

[root@osb-vagrant opt]# setfacl -m u:soa:rwx /opt/pippo
[root@osb-vagrant opt]# getfacl /opt/pippo
getfacl: Removing leading '/' from absolute path names
# file: opt/pippo
# owner: root
# group: root
user::rwx
user:soa:rwx
group::r-x
mask::rwx
other::r-x


notice here the new element "user:soa:rwx".

At this point, user "soa" can create a file in /opt/pippo ! But no other user can...

See also http://www.computerhope.com/unix/usetfacl.htm for more advanced examples.

In Puppet:

exec {'/usr/bin/setfacl -R -dm u::rwx,g::rwx,o::rwx /zdata/':
      require => Mount["${inbound_messages_path}"],
}





No comments: