Setfacl and granting permissions to a group and its members on a directory

indiansoil · August 7, 2013, 6:22am

Hi!

I created a group HACKERS and made the user "demo" its member.

[demo@localhost ~]$ id demo
uid=500(demo) gid=500(demo) groups=500(demo),502(HACKERS)
[demo@localhost ~]$

Next, I granted read and execute permissions to the group "HACKERS" on /var/log/httpd as shown below:

setfacl -m "g:HACKERS:r-x" /var/log/httpd

[demo@localhost ~]$ getfacl /var/log/httpd/
getfacl: Removing leading '/' from absolute path names
# file: var/log/httpd/
# owner: root
# group: root
user::rwx
group::---
group:HACKERS:r-x
mask::r-x
other::---

Still the user "demo" is not able to read/execute any command on the said directory:

[demo@localhost ~]$ cd /var/log/httpd/
bash: cd: /var/log/httpd/: Permission denied

Could you please help me?

I did that exercise on a production server and the team is asking me to get them permission as soon as possible.

One strange thing I noticed: If I do "su - root" and then do "su - demo" and check access then it works fine. But I can't do that on the production server.

I don't know what is wrong? If I grant the permission using setfacl to the user "demo" then it all works fine.

[root@localhost ~]# setfacl -m u:demo:r-x /manager

...

[demo@localhost ~]$ cd /manager
[demo@localhost manager]$

Why is it not working for the group?

I also checked several online tutorials and followed a similar exercise given here:

http://bencane.com/2012/05/27/acl-us...ists-on-linux/

and it is no way different from what I have done above.

Update:

I have been able to do it but in a different way:

I first logged in to the machine as "root" and then run the setfacl command.

Next, the user "demo" directly logs in to the server and is able to access the directory /var/log/httpd.

Well, I can't do that exercise on the production server. I have to first log-in using my Windows AD credentials and then switch user to root by running the following command:

sudo su -l root

and this is not working as explained earlier. So, what is wrong with the switching user to root and then setting permissions?

I checked it on my local VM and the same thing happened.

jim_mcnamara · August 7, 2013, 6:54am

ls -ld /var /var/log
getfacl  /var /var/log

I think the problem may be in permissions for path directories.

indiansoil · August 8, 2013, 1:48am

I had to log out and log in back and the problem was resolved.