Friday, June 22, 2012

NFSv4 ACL example 1

Granting user webservd the permission to create a subdirectory of a directory owned by bob. Note that webservd won't be able to remove this subdirectory unless he's also granted D permission on the parent directory or gives himself d permission on his subdirectory. 

webservd@box-01:/home/bob/dir1 $ mkdir subdir1
mkdir: Failed to make directory "subdir1"; Permission denied 

bob@box-01:~ $ chmod A+user:webservd:rxpaRcs:allow dir1
bob@box-01:~ $ ll -dV dir1
drwxr-xr-x+  2 bob      staff          2 Jun 20 08:11 dir1
          user:webservd:r-xp--a-R-c--s:-------:allow
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow 
webservd@box-01:/home/bob/dir1 $ mkdir subdir1
webservd@box-01:/home/bob/dir1 $ ll -dV subdir1
drwxr-xr-x   2 webservd webservd       2 Jun 20 08:23 subdir1
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

webservd@box-01:/home/bob/dir1 $ rmdir subdir1
rmdir: directory "subdir1": Search or write permission needed

webservd@box-01:/home/bob/dir1 $ rm -r subdir1
rm: Unable to remove directory subdir1/: Permission denied

bob@box-01:~ $ chmod A0=user:webservd:rxpDaRcs:allow dir1
bob@box-01:~ $ ll -dV dir1
drwxr-xr-x+  3 bob      staff          3 Jun 20 08:23 dir1
          user:webservd:r-xp-Da-R-c--s:-------:allow
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

webservd@box-01:/home/bob/dir1 $ rmdir subdir1
webservd@box-01:/home/bob/dir1 $ ll
total 0

bob@box-01:~ $ chmod A0=user:webservd:rxpdaRcs:allow dir1
bob@box-01:~ $ ll -dV dir1
drwxr-xr-x+  3 bob      staff          3 Jun 20 08:35 dir1
          user:webservd:r-xpd-a-R-c--s:-------:allow
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

webservd@box-01:/home/bob/dir1 $ mkdir subdir2
webservd@box-01:/home/bob/dir1 $ rmdir subdir2
rmdir: directory "subdir2": Search or write permission needed

bob@box-01:~ $ chmod A0=user:webservd:rxpaRcs:allow dir1
bob@box-01:~ $ ll -dV dir1
drwxr-xr-x+  3 bob      staff          3 Jun 20 08:35 dir1
          user:webservd:r-xp--a-R-c--s:-------:allow
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

bob@box-01:~ $ ll -dV dir1/subdir2
drwxr-xr-x   2 webservd webservd       2 Jun 20 08:35 dir1/subdir2
                 owner@:rwxp-DaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow

bob@box-01:~ $ chmod A0=owner@:rwxpdDaARWcCos:allow dir1/subdir2
chmod: ERROR: Failed to set ACL: Not owner

bob@box-01:~ $ chmod A+user:webservd:rxdaRcs:allow dir1/subdir2
chmod: ERROR: Failed to set ACL: Not owner

webservd@box-01:/home/bob/dir1 $ chmod A0=owner@:rwxpdDaARWcCos:allow subdir2
webservd@box-01:/home/bob/dir1 $ ll -dV subdir2
drwxr-xr-x+  2 webservd webservd       2 Jun 20 08:35 subdir2
                 owner@:rwxpdDaARWcCos:-------:allow
                 group@:r-x---a-R-c--s:-------:allow
              everyone@:r-x---a-R-c--s:-------:allow 

webservd@box-01:/home/bob/dir1 $ rmdir subdir1
webservd@box-01:/home/bob/dir1 $ ll
total 0
  
Posted by at
Labels: ,