Granting access to specific user on a 700 file

Hello,

I have a a directory dir1 with permissions 700 (yes wantedly) and is owned by user1:group1

rwx------ user1 group1 dir1

I need to give permissions to user2 (belongs to group2) on dir1 and its files, so I granted the permissions using setfacl ; instead of adding the user to groups and them doing the chmod 770 permissions.
Because, I dont want members of this group also should access this content.

setfacl -Rdm u:user2:rwx  dir1

But the user2 is still not able to access the dir1. Is it because, the directory is having 700 ?
Is there a way to accomplish the need?

OS: RHEL 7

Yes...

Not sure I understood all requirement, but I will give an example I do for a dept here:
Statisticians in groupA should be able to execute and modify files of statisticians in GroupB but they are should not see what is in DirB of groupB except the files they know of
I use a common directory DirC, put the executables and files in that directory with 664perms for the data files group owner GroupB, 755 for the executables and and 711 perms for DirC with a statistician of GroupB as owner and responsible for content of this directory...
The use of 711 on directory makes its content unreadable except for the owner, but if you know what is there e.g. a. executable like a script and you have the right to execute or modify, you can do so, but you have no ways to see what else is in that directory...
(just in case I was not clear, The GID of the files in this directory are set to GroupB)

Check out this example, and apply it to your enviroment.

[root@box ~]# id goprog
uid=1000(goprog) gid=1000(goprog) groups=1000(goprog)
[root@box ~]# id jboss
uid=666(jboss) gid=666(jboss) groups=666(jboss)
[root@box ~]# ls -dl /opt/jboss
drwx------. 4 jboss jboss 282 Jan 18 07:41 /opt/jboss
[root@box ~]# su - goprog
Last login: Sat Jan 18 07:41:45 CET 2020 on pts/0
[goprog@box ~]$ cd /opt/jboss
-bash: cd: /opt/jboss: Permission denied
[goprog@box ~]$ exit
logout
[root@box ~]# setfacl -R -m user:goprog:rwx /opt/jboss
[root@box ~]# su - goprog
Last login: Sat Jan 18 07:43:52 CET 2020 on pts/0
[goprog@box ~]$ cd /opt/jboss
[goprog@box jboss]$ cp domain.xml domain.xml_new
[goprog@box jboss]$ ls -lrt
total 176824
drwxrwxr-x+ 12 jboss  jboss        255 Jan  5  2019 wildfly-15.0.1.Final_rbacfail
drwxrwxr-x+ 12 jboss  jboss        255 Jan  5  2019 wildfly-15.0.1.Final
-rw-rwxr--+  1 jboss  jboss  180827189 Jan  7  2019 wildfly-15.0.1.Final.zip
lrwxrwxrwx.  1 jboss  jboss         20 May 18  2019 current -> wildfly-15.0.1.Final
-rw-rwxr--+  1 jboss  jboss     113390 May 18  2019 domain.xml
-rw-rwxr--.  1 goprog goprog    113390 Jan 18 07:45 domain.xml_new
[goprog@box jboss]$ 

Hope that helps
Regards
Peasant.

2 Likes

Thank you this worked.

The difference this time is: I used absolute path and not used d option.

setfacl -R -m user:user2:rwx /local/dir1