Random Linux+ Question March 7

Discussion in 'Linux+' started by tripwire45, Mar 7, 2006.

  1. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    You want to set up a default Access Control List (ACL) for the /home/shared directory so that groups have all permissions including write permissions. This will allow members of the designated group access to files created in this directory. Which of the following commands is the most likely one?

    umask -d -m mask:007 /home/shared/
    setfacl -d -m mask:007 /home/shared/
    umask -d -m mask:770 /home/shared/
    setfacl -d -m mask:770 /home/shared/

    You would also have to specify the group for this directory and set the sgid-bit but those are separate commands.
     
    Certifications: A+ and Network+
  2. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Hm - I'm skipping this one! Until now I'd not heard of setfacl! Nothing I have access to has it - so it must be specific to some distros.

    More reading required.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  3. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Doesn't seem to be distro specific from what I can see. Keep looking.
     
    Certifications: A+ and Network+
  4. simongrahamuk
    Honorary Member

    simongrahamuk Hmmmmmmm?

    6,205
    136
    199
    [HIDE]umask -d -m mask:770 /home/shared/[/HIDE]

    A guess, as I'm not too sure on how the octal values work, or even if it's the right command!
     
  5. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Ok - after some reading I'll throw a dart at random and say [HIDE]setfacl -d -m mask:770 /home/shared/[/HIDE]

    When I said earlier that I didn't have any boxes with this I was wrong! An antique Solaris box I admin has it. However - just to confuse things further the setfacl command has a different switchset from the Linux version!

    I see also that the POSIX draft standard that lies behind this has been withdrawn, which must have confused people!

    A great resource to explain things that I found is here . Without reading that I would have been completely lost!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  6. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    The correct answer is:
    Code:
    setfacl -d -m mask:007 /home/shared/
    The setfacl command is used specifically to create ACLs however you also have to know how a umask works. Umask defines the default permissions that are used when a user creates a file or directory. The default umask is 0022. The first zero ( 0 ) defines any special permissions and the next three values define the rwx permissions. If you see a ( 0 ) there is nothing "masking the permissions. Any value you see masks a particular permission. you can think of umask the same way you think about a wildcard mask in IOS (Cisco).

    In this case, the 007 value allows users and the group that owns the shared directory to modify the contents but does not allow the "others" group any access (ugo).
     
    Certifications: A+ and Network+
  7. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    I know that I've only just looked this command up, but what you write doesn't seem to accord with the docs I've seen.. :eek:

    Your description of umask is spot on - I think of the umask bit-pattern as being 'inverted'.

    However, nothing I have read about setfacl suggests that the values there are inverted.

    Can you give a reference for the answer you gave please?

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  8. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    Certifications: A+ and Network+
  9. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    Thanks for that reference.

    I feel as if I'm sticking my neck out here, as I have only just encountered the setfacl command, but here goes.

    First - I see why my answer originaly is wrong, and the given answer is right.

    However the line you wrote:
    does not appear in that article and confused me.

    As far as I can tell from my reading the mask only deals with 'named users' and groups. The 'owner' and 'others' are ignored. The mask is only 3 bits wide - so in the man page we see the example
    .

    Thus it is the value '7' that is setting the permissions for named users and groups, so isn't inverted like umask.

    I'd be grateful for your comments here in case I've got muddled again! :biggrin

    edit: I've just noticed a comment further down that page:
    . I think this is confusing, because I've seen no evidence that setfacl uses the inverted mask.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  10. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I think you are probably more right than I am here, Harry. This is probably a case of me biting off more than I can chew, since I am still in the process of learning this myself. I've made mistakes in QOTW entries before but hopefully they all result is everyone learning something...including me. Thanks for your comments and the effort you've put into this. I'll have to review everything and see exactly how I stubbed my toe here. :oops:
     
    Certifications: A+ and Network+
  11. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    No probs. We are all here to learn - this is the primary purpose of this site which is why I feel at home here!

    And I've made my share of mistakes!

    I'm sure with a bit of head-scratching we can get to the truth of the matter.

    Perhaps it is time I got another trash machine and installed a distro on it to experiment with! I do intend to download the package source and see if there are obvious things there.

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  12. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Always keeping an eye on the Linux discussions. I didn't have time to delve into this question but it just goes to show that asking good quality questions is not an easy thing to do. I don't mean that in a nasty way James. It's just that in order to ask the perfect question you need to really be rock solid with your understanding of the concepts. Something which is hard to attain, as I too am often left with an air of uncertainty no matter how much I study a given topic.

    Keep em coming Trip 8)
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  13. tripwire45
    Honorary Member

    tripwire45 Zettabyte Poster

    13,493
    180
    287
    I've done a bit more reading and found my mistake in terms of the umask values. Linux file permissions are organized around three groups: users (u), groups (g) and others (o). Each of these groups can have three different permission types: read (r), write (w), and execute (x). r, w, and x have numerical values assigned to them. r=4, w=2, and x=1.

    So for example, if I wanted to set the permissions on file1 so that users had rwx, groups had rw, and others had r, I'd use the command chmod 764 file1. When files are created on a Linux system, unless you change them, they are set with a default set of permissions. Typically files have permissions of -rw-rw-rw- and directories have rwxrwxrwx.

    Umask "masks" off values and you can use the umask command to change the default permissions of files and directories when they're created. for example, umask 0022 will not have an impact on the default values of the user permissions but will mask off write permissions (w = 2) for groups and others (the very first value in the umask applies to special file permissions which I won't cover here). If I were to change the umask to 0027 and create a file, the file will be created with these permissions: rwxrw----. The "7" (r=4, w=2, x=1...4+2+1=7) masks off r, w, and x permissions for "others".

    As Harry pointed out...values are not inverted in umask...I just had a few misfiring synapses. Pardon me for the lapse. :oops:
     
    Certifications: A+ and Network+
  14. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    <grin> No probs. It took me a *very* long time to get some of those points straight - and even now when it is important I look them up to check!

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+
  15. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Phew - I am so glad to hear that Harry. I thought I must be losing it after reading Trip's last post :blink
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  16. hbroomhall

    hbroomhall Petabyte Poster Gold Member

    6,624
    117
    224
    One of my maxims: Never, ever, be afraid to look something up to double check! :biggrin

    Harry.
     
    Certifications: ECDL A+ Network+ i-Net+
    WIP: Server+

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.