Permission denied after using setfacl

Question

There are 3 users: A, B, C.

A has mydir in his home folder /home/A/mydir

B can read /home/A contents

C can read and write /home/A contents

I tried in this way:

setfacl -Rm u:B:r /home/A/
setfacl -Rm u:C:rw /home/A/

su B
ls /home/A
ls: cannot access /home/A: Permission denied
mydir
cd /home/A
-bash: cd: /home/A/: Permission denied

cat /etc/fstabs:

/dev/sdb1 /media/esterno ext3 defaults,acl 0 2

getfacl /home/A:

getfacl: Removing leading '/' from absolute path names
# file: home/A
# owner: A
# group: A
user::rwx
user:B:r--
user:C:rw-
group::---
mask::rw-
other::---

Normally you would want setfacl to recalculate the mask. Can you print the output of `getfacl /home/A`. — alvits, Apr 04 '14 at 22:52
I see the issue. You need to give both B and C execute permission. Directories even when readable or writable will not allow going into when execute permission is not set. — alvits, Apr 04 '14 at 23:41
Thank you! Now it works! But where is the logic? Why should i set execute permission if i'm reading it? — filippo, Apr 04 '14 at 23:49
You need the execution permission to open a directory on a unix system... — Stephan Kulla, Apr 05 '14 at 01:15
You were not just reading it, you were traversing it. Traversing a directory requires an execute permission. — alvits, Apr 05 '14 at 05:33

score 10 · Answer 1 · answered May 02 '14 at 18:25

10

As tampis allready said, to change into a directory (or list its content, or read a file in it) in linux, one needs to have execute permissions on that directory. Change your setfacl commad to something like this:

setfacl -Rm u:B:rx /home/A/
setfacl -Rm u:C:rwx /home/A/

answered May 02 '14 at 18:25

mofoe

3,634
1
16
16

2

this is nuts. `sudo setfacl -Rm u:user1:rx /x/x/` `cd /x/x/` Permission denied – Toolkit Jan 21 '20 at 07:03
So does this only work because the home dir is already executable by B and C? What if you first did [root]> setfacl -Rm u:C:rwx /home/A/shared/ then [C]> cd /home/A/shared? Is it true that every parent dir needs x permissions, to traverse? – cloudsurfin Feb 12 '21 at 21:21
1

yes, every directory in the path needs to have the executable bit set to be able to `cd` into a sub folder. – mofoe Mar 19 '22 at 19:06

Shivam Mehrotra · Answer 2 · 2019-07-18T14:11:11.857

1

you also need execute permission along with read permission on directory

"setfacl -m  u:B:r-x /home/A"

edited Jul 18 '19 at 14:11

answered Jul 17 '19 at 12:57

Shivam Mehrotra

393
2
6

Permission denied after using setfacl

2 Answers2