ACL problem

[leonardorame]

Hi, I configured a user that needs to access files stored in a SMB directory for read and execute only, also there's another user who need to RWX access.

User with all permissions is named "informemedico" and the read only user is "drcalderon".

drcalderon is part of the "informemedico" group.
informemedico's main group is also informemedico.

There is a pool named "imagenes" whit the following ACLs:

Now when I (as user informemedico) create a file inside a subdirectory of imagenes, the file is created with this attributes:

----r-x---+

But I would like to have drwxr-xr-x+.

If I call getfacl on that directory I get:

# file: .
# owner: informemedico
# group: informemedico
group@:r-x---a-R-c---:fdi---I:allow
everyone@:--------------:fdi---I:allow
owner@:rwxp--aARWcCos:-------:allow
group@:r-x---a-R-c--s:-------:allow
everyone@:r-x---a-R-c--s:-------:allow

What can I do to fix this mess?

 

[leonardorame]

Well, I removed the ACLs of subdirectories, now, when I create a file (with touch test.txt for example) it gets this permissions:

-rw-r--r-- 1 informemedico informemedico 0B Oct 3 16:50 test.txt

How can I define the parent ACL to newly created files have the x attribute?

 

[anodos]

Create the dataset as an SMB dataset (or set aclmode property to RESTRICTED). Do note that you should use the BASIC-READ permissions set rather than trying to hand-craft something. SMB clients need to be able to read attributes / stat files.

 

[anodos]

Alternatively, if for some reason you need a local process to be able to chmod(2) files, then you should define the permissions you need via an additional ACL entry for the group informemedico (or whoever is accessing the data).

 

[leonardorame]

Create the dataset as an SMB dataset (or set aclmode property to RESTRICTED). Do note that you should use the BASIC-READ permissions set rather than trying to hand-craft something. SMB clients need to be able to read attributes / stat files.

Thanks, but I have a couple of questions.

1. The dataset has a lot of data.
2. The only application that writes on it runs in a jail.
3. If I change the ACL mode of the dataset, the jailed app will be affected?

 

[anodos]

Thanks, but I have a couple of questions.

1. The dataset has a lot of data.
2. The only application that writes on it runs in a jail.
3. If I change the ACL mode of the dataset, the jailed app will be affected?

Yes. If you set aclmode to restricted, any chmod(2) attempt by a jailed process will fail with EPERM. Depending on the design of the application this failure may be gracefully handled... or it may not.

 

[leonardorame]

I'll forget for a while the external user access via SMB.

Now I need to solve the main issue, new files are created without the "x" attribute. How can I force that?

 

[anodos]

I'll forget for a while the external user access via SMB.

Now I need to solve the main issue, new files are created without the "x" attribute. How can I force that?

Depends on which process is creating / altering permissions on the file. You will probably need to investigate your application's behavior / umask of the process. This can override / alter the inherited ACL if you're only using owner@, group@, and everyone@ entries.

 

[leonardorame]

Forget about it. I checked again and even without the "x", the files can be opened as expected.

 

[anodos]

Forget about it. I checked again and even without the "x", the files can be opened as expected.

For simplicity's sake, you can think of "x" as meaning different things for files and directories. If it is missing on a directory a process will not be able to chdir() into / through it. For files, think execute. This is pretty much same as on NTFS BTW, same bit is "traverse folder / execute file". The difference is that on Windows, regular users are by default granted privileges to ignore the permissions check on traversal.

 

[leonardorame]

Exactly, the test I did was, first with an mkdir and it added the "x", then with a file and it doesn't.