Thursday, 11 April 2019

Linux group permission && group ACL permission inheritance

Getting new files to inherit group permissions on Linux:

// Set setgid (set group ID upon execution)
# chmod g+s /QA_files/
# chmod 2755 /QA_files/

// for new items (hence the d)
# setfacl -Rdm g:600:rw /QA_files/

// for old/existing items under the folder.
# setfacl -Rm g:600:rw /QA_files/

Note: 600 is the group ID.

Note: The -R option recurses on subfolders.
Note: The -d option defaults to this rule. This means that the ACL will apply to all files and directories created in DIR after the setfacl was run.
Note: The -m option modifies the rule to u:USER:rwX that is give to the user (u:) USER the permissions rwX. The capital X means give execution permission to all folders and to files that have the execute permissions. This prevent us to make all files executable.

// Create folder/file w/o given ACL to public for logged in user:
add unmask 0027 to .bashrc
source .bashrc

Note: https://www.jujens.eu/posts/en/2017/Jul/02/docker-userns-remap/
Note: https://www.ibm.com/support/knowledgecenter/en/SSLTBW_2.3.0/com.ibm.zos.v2r3.bpxa500/sfacl.htm

sudo setfacl -Rdm g:groupnamehere:rwx /base/path/members/
sudo setfacl -Rm g:groupnamehere:rwx /base/path/members/
R is recursive, which means everything under that directory will have the rule applied to it.
d is default, which means for all future items created under that directory, have these rules apply by default. m is needed to add/modify rules.
The first command, is for new items (hence the d), the second command, is for old/existing items under the folder. Hope this helps someone out as this stuff is a bit complicated and not very intuitive.

https://serverfault.com/questions/444867/linux-setfacl-set-all-current-future-files-directories-in-parent-directory-to

File permissions regulate file access. They allow you to control who can read, write, or execute any files you may own. File permissions in UFS and in NFS are similar, and specified for each file and directory. The three basic permissions are:

read (r)
Having read permission on a file grants the right to read the contents of the file. Read permission on a directory implies the ability to list all the files in the directory.
write (w)
Write permission implies the ability to change the contents of the file (for a file) or create new files in the directory (for a directory).
execute (x)
Execute permission on files means the right to execute them, if they are programs. (Files that are not programs should not be given the execute permission.) For directories, execute permission allows you to enter the directory (i.e., cd into it), and to access any of its files.


http://web.mit.edu/sipb/doc/working/afs/html/subsection3.1.html


linux default for folde ris 755
file is 644

in user folder public is o 750, 640

No comments:

Post a comment