...
Code Block | ||
---|---|---|
| ||
sudo /home/ # Normal permissions sudo chmod -R o-rwx ./www.dailyplanet.com/ # ACL permissions sudo setfacl -Rm g:wgdailyplanet:rwX ./www.dailyplanet.com/ sudo setfacl -Rm g:www-data:rX ./www.dailyplanet.com/ sudo setfacl -Rm g:staff:rX ./www.dailyplanet.com/ |
Take a look at the ACLs,
Code Block | ||
---|---|---|
| ||
getfacl ./www.dailyplanet.com/
# file: www.dailyplanet.com
# owner: ckent
# group: ckent
user::rwx
group::rwx
group:www-data:r-x
group:staff:r-x
group:wgdailyplanet:rwx
mask::rwx
other::---
default:user::rwx
default:group::rwx
default:group:www-data:r-x
default:group:staff:r-x
default:group:wgdailyplanet:rwx
default:mask::rwx
default:other::--- |
Don't be alarmed that you see x on the groups www-data, staff and wgdailyplanet. That is normal *nix convention it means that execute permission will only be applied on directories. Files will be default not have execute permission applied.
Once we are happy with the permissions, change the default ACLs so any files or folders created underneath the parent directories are maintained,
...
getfacl --access generates the details of the permissions we applied to the directory. The details are then piped to setfacl and the setfacl with the following parameters read,
-d = Change default permissions for newly created files and folder.
-M = Take as input files. Because the dash is used, the file is instead standard input.
R = Apply changes recursively to folders and files.
...
Code Block | ||
---|---|---|
| ||
sudo /home/
# Normal permissions
sudo chmod -R o-rwx ./www.lexcorp.com/
# ACL permissions
sudo setfacl -Rm g:wglexcorp:rwX ./www.lexcorp.com/
sudo setfacl -Rm g:www-data:rX ./www.lexcorp.com/
sudo setfacl -Rm g:staff:rX ./www.lexcorp.com/
# Apply default ACLs
getfacl --access ./www.lexcorp.com/ | sudo setfacl -d -RM - ./www.lexcorp.com/ # Not working because it grants execute access to everything. |
References
Good introduction from the Ubuntu docs - https://help.ubuntu.com/community/FilePermissionsACLs
Slightly Skeptical view on ACLs - http://www.softpanorama.org/Articles/slightly_skeptical_view_on_unix_acl.shtml
May be a solution to the ACLs applying x to everything or not to everything Got me to understand why execute permission was set on the groups - http://superuser.com/questions/180545/setting-differing-acls-on-directories-and-files