...
| User Name | Assigned User | Group | Web Root Directory | File Access | Directory Access |
|---|---|---|---|---|---|
| dailyplanet01 | Clark Kent | wgdailyplanet | /opt/web/php/dailyplanet.com/ | Read, Write and Execute | Read, Write and Execute |
| lexcorp01 | Lex Luthor | wglexcorp | /opt/web/php/lexcorp.com/ | Read, Write and Execute | Read, Write and Execute |
| Apache Server | www-data | /opt/web/php/dailyplanet.com/ /opt/web/php/lexcorp.com/ | Read | Read and Execute (required to transverse directories) | |
| Staff Users | staff | /opt/web/php/dailyplanet.com/ | Read | Read and Execute (required to transverse directories) | |
| Other | No Access | No Access |
...
| Directory | Permissions | ACL | ACL(default) |
|---|---|---|---|
| /web/ | rwXr-X--X | www-data:rX | www-data:rX |
| /web/php/ | rwXr-X--X | www-data:rX | www-data:rX |
| /web/php/tmp/ | rwXr-X--- | www-data:rwX | www-data:rwX |
| /web/php/logs/ | rwXr-X--- | www-data:rwX | www-data:rwX |
| /web/php/dailyplanet.com/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
| /dailyplanet.com/www/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
| /dailyplanetdailyplanet.com/blog/ | rwXr-X--- | www-data:rX wgdailyplanet:rwX | www-data:rX wgdailyplanet:rwX |
| /dailyplanet.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wgdailyplanet:rwX | www-data:rwX wgdailyplanet:rwX |
| /web/php/lexcorp.com/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
| /lexcorp.com/www/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
| /lexcorp.com/blog/ | rwXr-X--- | www-data:rX wglexcorp:rwX | www-data:rX wglexcorp:rwX |
| /lexcorp.com/blog/wp-content/ | rwXr-X--- | www-data:rwX wglexcorp:rwX | www-data:rwX wglexcorp:rwX |
...
| Code Block | ||
|---|---|---|
| ||
cd php mkdir dailyplanet.com lexcorp.com tmp logs #change the php folder permissions back to the way it was cd .. chmod o-rw+X php #check the permissions getfacl php # file: php # owner: rfongyee # group: staff user::rwx group::r-x group:www-data:r-x group:staff:r-x mask::r-x other::--x default:user::rwx default:group::r-x default:group:www-data:r-x default:group:staff:r-x default:mask::r-x default:other::--- |
...
| Code Block | ||
|---|---|---|
| ||
cd php setfacl -Rm g:wgdailyplanet:rwX dailyplanet.com getfacl --access ./dailyplanet.com/ | sudo setfacl -d -RM - ./dailyplanet.com/ cd dailyplanet.com mkdir www blog |
Now do the same to lexcorp.com
Next move the web folder to the opt directory and make serveradmin:staff own it
| Code Block | ||
|---|---|---|
| ||
setfacl -Rm g:wglexcorp:rwX lexcorp.com getfacl --access ./lexcorp.com/ | sudo setfacl -d -RM - ./lexcorp.com/ cd lexcorp.com mkdir www blog |
| Code Block | ||
|---|---|---|
| ||
cd ~ sudo mv web /opt/ cd /opt/ sudo chown -R serveradmin:staff web |
Repeat the same steps for lexcorp.com and change the group accordingly,
...
User Lex Luthor has been given access to his directory "lexcorp.com" but learns of the "dailyplanet.com" directory by using his robots to spy on Clark Kent's computer. So Lex terminals in...
| Code Block | ||
|---|---|---|
| ||
cd /opt/web/php/ cd dailyplanet.com -su: cd: dailyplanet.com: Permission denied |
Backup and Restore
...
| Code Block | ||
|---|---|---|
| ||
sudo getfacl -R dailyplanet.com/ > ~/dailyplanet.com.acl.bck.txt |
It is important to run getfacl with sudo so that getfacl can properly transverse the directories and owner comments or group comments will be retained.
...
| Code Block | ||
|---|---|---|
| ||
cd /opt/web/php/
sudo setfacl --restore ./bck.dailyplanet.com.acl.bck.txt |
References
Good introduction from the Ubuntu docs - https://help.ubuntu/community/FilePermissionsACLs
...