View Single Post
  #2   (View Single Post)  
Old 1st April 2009
da1 da1 is offline
Fdisk Soldier
 
Join Date: Feb 2009
Location: Berlin, DE
Posts: 49
Default UPDATE #1

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

After googleing for 2 minutes I came across an article that explained the situation (http://www.onlamp.com/pub/a/bsd/2003...ebsd_acls.html).

So basicly " Default ACLs don't work quite like regular ACLs do. You cannot set specific entries on a default ACL until you add the generic user::, group::, and other:: entries."

thus
Code:
setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx mnt
this also "inherits" the parent ACL (-d = "The operations apply to the default ACL entries instead of access ACL entries" <- quoted from the manual). This I didn't know. I had no ideea that in fact there were 2 ACL entryes, a default ACL entry and a access ACL entry.
This unfortunatelly has a draw back (either that or I didn't do something correctly). The drawback is that "getfacl [folder]" doesn't provide an output similar to solaris. This is what I mean... On solaris one would have (notice the default options)
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:root:rwx
default:group::rwx
default:group:wheel:rwx
default:other:---
but on FreeBSD (getfacl [file])I have
Code:
# file: muzica
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx
user:ftpadmin:rwx
group::---
mask::rwx
other::---
There is no mistake here. On FreeBSD in order to see the default ACL entry one must use "getfacl -d [folder]" instead of simply "getfacl [folder]"


Thus "mkdir test" in /mnt folder provides
Code:
drwxr-x---+  2 root  wheel   512 Apr  1 19:40 test
with that nice looking "+" symbolizing the "inherit" of ACL.Now let's get the acl of that dir to see if it did inherit

Code:
[da1@da1.ro /mnt]# getfacl test
# file: test
# owner: root
# group: wheel
user::rwx
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
So yes, it did inherit it.

Now, I only set these options for the /mnt folder, if I cd into it, and then into another folder (say /mnt/test) and whant to create another folder (say /mnt/test/test2) this folder will NOT inherit /mnt's ACL. I need to recursively setfacl for all /mnt's subdirectoryes. Remember that long command I did? gotta use it again and this time the total command will be a blast. Here's what to do to apply something recusively:

Now, before the fun, I remember the manual saing something about the "-d" option and that was that "Currently only directories may have default ACL's". With that in mind, I set out to setfacl recursevly only for directories, like so:

Code:
find /mnt -type d -exec setfacl -d -m u::rwx,g::rwx,o::---,m::rwx,u:smbadmin:rwx,u:ftpadmin:rwx,m::rwx {} \;
use the WHOLLE comand (especially the \; (backslash and semicolon)).This particular command will load your hdd until it is finished, but don't panic, it's normal.
All done, let's see

cd into /mnt/programe (programe means programs ) and create a folder
Code:
[da1@da1.ro /mnt]# cd programe
[da1@da1.ro /mnt/programe]# mkdir test5
[da1@da1.ro /mnt/programe]# ls -all | grep test5
drwxr-x---+  2 root  wheel        512 Apr  1 19:54 test5
[da1@da1.ro /mnt/programe]#
Success!


Now let's see the files part. Acording to the manual I cannot set a default ACL for files.
Code:
[da1@da1.ro /mnt]# :> filetest
[da1@da1.ro /mnt]# ls -all | grep filetest
-rw-r-----+  1 root  wheel     0 Apr  1 19:56 filetest
[da1@da1.ro /mnt]# getfacl filetest
# file: filetest
# owner: root
# group: wheel
user::rw-
user:smbadmin:rwx               
user:ftpadmin:rwx               
group::rwx              
mask::rwx
other::---
[da1@da1.ro /mnt]#
Same happens wherever I cd into /mnt. Wherever I create files and/or folders they inherit the parent's ACL. However, on already created files I cannot set default ACL, only access ACL. So if one would whant to add a user to all files in a folder (so that that user would have some permision) they would need
Code:
find /mnt -type f -exec setfacl -m u:usr:---,g:grp:---,m::--- {} \;
you get the picture

All this works from a ssh session logged in as root. If I create a file through FTP with ftpadmin usr, newly create files and/or folders still belong to ftpadmin:wheel, but because ACL inherits above permisions it is accessible (rwx) by the smbadmin usr

Last edited by da1; 2nd April 2009 at 03:28 PM.
Reply With Quote