Default ACL inheritance question

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

A bit of a minor off-topic issue, but on the off-chance that someone understands how ACLs work ...
I've been trying to see if using default ACLs would help with the following issue:
I have a third party application that is running as a non-root user ('user-a') and creating log files with mode 0600 (read/write only to the owner) in a log directory
I have another application that runs as another non-root user ('user-b') that needs to read the log files created by 'user-a'
I can't change the mode of the log files generated by 'user-a', but I thought I could add a default ACL to the log file's parent directory that gave read access to 'user-b' - i.e. something like: 

% sudo setfacl -d -m u:user-b:r logdir
% getfacl logdir
# file: logdir
# owner: user-a
# group: user-a
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user-b:r--
default:group::rwx
default:mask::rwx
default:other::r-x
Now when new log files are created in logdir, the default ACL is inherited, but 'user-b' still can't read the files - i.e. 

% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r--                 #effective:---
group::rwx                      #effective:---
mask::---
other::---
i.e. the effective access for 'user-b' is '---' - which is no access to read for 'user-b' 

I'm not sure where 'effective' comes from?

If I now explicitly add a read ACL for user-b to logdir/logfile:

% sudo setfacl -m u:user-b:r logdir/logfile
% getfacl logdir/logfile
# file: logdir/logfile
# owner: user-a
# group: user-a
user::rw-
user:user-b:r--
group::rwx
mask::rwx
other::---

and 'user-b' can read logdir/logfile
I guess I'm missing something on how default ACLs are meant to work - can anyone explain what is happening here or point me in the right direction ?
I've actually 'solved' the issue with a suitable sudoers rule that allows 'user-b' to run the required command as 'user-a', but I would like to find out why this default ACL method doesn't work 

Thanks

James Pearson
_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
https://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]

  Powered by Linux