acl group permissions

acl group permissions

Oleg Goldshmidt pub at goldshmidt.org
Wed Jul 14 20:14:42 IDT 2010 

camelia <camelia.botez at weizmann.ac.il> writes:

> We have a file system that was built and populated before changing
> its acl.  On this file system we created a directory with default
> acl and 50 users that don't belong ( all of them) to the same group
> we have 4 groups.  One of those groups should be able to r/w/x files
> in each user's directory , so I believed that if I create an entry
> in acl for this group I'll solve the problem.  The file system is
> mounted
>
> /dev/ngs /ngs  type gpfs
> rw,mtime,atime,quota=userquota;groupquota,filesetquota,dev=ngs,autostart 0 0

Oh, that's already additional information. I was thinking in terms of
POSIX ACL on a more conventional filesystem as ext3. Now I see it is
GPFS (yes, as you mention, POSIX ACL is the default).

How come there is no indication of the control bit in any of the
outputs then? Rather than, say,

    group:bioserv:rwx

I'd expect to see

    group:bioserv:rwxc

or

    group:bioserv:rwx-

or something of the kind. 

GPFS makes things a bit more problematic - I would be able to try
something on one of my computers easily, but I have no GPFS anywhere,
so I am blind.

> I tried to use also mmeditacl - command for changing acl that comes
> with gpfs and the result is the  same.

Same as setfacl (does it even work on GPFS)? Same as mmputacl?

> ls -ld on /ngs returns
> drwxrwxr-x+ 14 bsgilgi bioserv 8192 Jul 11 12:21 .
>
> I created first the acl for /ngs and I checked if directories
> already created in this file system hav + at the end of permissions
> - don't have.

As I mentioned earlier, it is not surprising: ACLs are inherited at
creation time. I can't check, but I wonder if moving a subtree
somewhere else and back will fool GPFS into treating it as newly
created and thus putting ACL everywhere. Can you try it?

> If I create in /ngs a new directory it inherit the acl from /ngs.

That works then.

> I created another acl for /ngs/user_data but as user belonging to
> bioserv group I cannot write in other users directories.

One thing to check: is bioserv the primary group for the users? Have
you tried newgrp(1) or sg(1) to bioserv? Does it help?

-- 
Oleg Goldshmidt | pub at goldshmidt.org

More information about the Linux-il mailing list