5

I am running Arch Linux on my laptop as a development machine, and I need to grant the users group RW privileges to the folder: /srv/http and all files and folders under it.

I made sure that ACL is installed, and then added it to my fstab:

/dev/sda7               /               ext4            rw,relatime,data=ordered,acl    0 1

Then I ran the following:

sudo setfacl -m group:users:rw- -R /srv/http

It works fine on my desktop machine, why wouldn't this work the same on my laptop? After using the setfacl command above the users do not even have read access to the files or folders any more.

When I remove the ACL records like this:

sudo setfacl -bR /srv/http

After that command the users can open the files, but not modify them.

Am I doing something wrong here?

Here is the output of "ls -l /srv/http"

[shane@arch-mobile ~]$ ls -l /srv/http/
total 4
drwxr-xr-x 9 http http 4096 Aug  7 11:04 drupal7

Output of "zcat /proc/config.gz | grep -i acl":

CONFIG_EXT4_FS_POSIX_ACL=y
CONFIG_REISERFS_FS_POSIX_ACL=y
CONFIG_JFS_POSIX_ACL=y
CONFIG_XFS_POSIX_ACL=y
CONFIG_BTRFS_FS_POSIX_ACL=y
CONFIG_FS_POSIX_ACL=y
CONFIG_GENERIC_ACL=y
CONFIG_TMPFS_POSIX_ACL=y
CONFIG_NFS_V3_ACL=y
CONFIG_NFSD_V2_ACL=y
CONFIG_NFSD_V3_ACL=y
CONFIG_NFS_ACL_SUPPORT=m
CONFIG_CIFS_ACL=y
CONFIG_9P_FS_POSIX_ACL=y
Shane Grant
  • 305
  • 1
  • 3
  • 12
  • Did you get any error after running `sudo setfacl -m group:users:rw- -R /srv/http`? Please show use the output of `ls -l /srv/http`? – quanta Aug 09 '12 at 02:57
  • @quanta No errors, I put the output at the bottom of the post. – Shane Grant Aug 09 '12 at 03:03
  • `grep acl /proc/mounts`? – quanta Aug 09 '12 at 03:04
  • @quanta nothing. does that mean I have an issue with the fstab somewhere? – Shane Grant Aug 09 '12 at 03:09
  • Expect it might be a restrictive mask on the directory - you've used setfacl a lot, it would be useful if you could do a `getfacl /srv/http` to see what effect your changes have had. If it does turn out to be the mask, you can modify it (and fully open it up) with `setfacl -R -m m::rwx` – James Yale Aug 16 '12 at 09:15
  • Are you using extends? `lsattr /srv/http` the "e" should show you this. Or, you have it as ext3 or you are missing extended attributes. – Andrew Smith Aug 17 '12 at 20:05

3 Answers3

1

@quanta nothing. does that mean I have an issue with the fstab somewhere?

Yes. It means that your root file system hasn't remounted with ACL support:

# mount -o remount,acl /dev/sda7

and try again.

quanta
  • 51,413
  • 19
  • 159
  • 217
1

You should give "users" permission to search directories, otherwise it wont work:

 sudo find /srv/http -type d -exec setfacl -m group:users:rwx {} \;
ivoronin
  • 11
  • 2
  • You can also use capital X to give the exec bit on directories only (and files that are already executable). `sudo setfacl -m group:users:rwX -R /srv/http` – chutz Sep 27 '12 at 16:10
1

If output of

mount | grep acl

command is empty, your root filesystem is mounted without acl support. But if this happens, setfacl command would produce an error 'Operation not supported'.

Please post output of getfacl /srv/http command.

Selivanov Pavel
  • 2,206
  • 3
  • 26
  • 48