Setting ACL for group read access

0

Let me introduce you to margaret and pepijn, my two LDAP users.

Pepijn is at the bottom of my non-existent corporation's food chain and is therefore member of only one LDAP-group:

pepijn@srv:/$ groups
user

Margaret is one of the more fortunate:

margaret@srv:/$ groups
user SVNAccess www-writers book-writers

I've set an ACL with defaults for /files/books, so that members of book-writers have rwx access and members of user have only r access. 

# file: files/books/
# owner: root
# group: book-writers
user::rwx
group::r--
group:user:r--
group:book-writers:rwx
mask::rwx
other::---
default:user::rwx
default:group::r--
default:group:user:r--
default:group:book-writers:rwx
default:mask::rwx
default:other::---

Margaret writes some data to the file /files/books/test.txt. Pepijn then tries to take a look at the contents of the file, but is rather disappointed when he gets presented with an Access Denied error.

When I run getfacl on the file it returns this:

# file: files/books/test.txt
# owner: margaret
# group: user
user::rw-
group::r--
group:user:r--
group:book-writers:rwx          #effective:rw-
mask::rw-
other::---

Why isn't Pepijn able to view the content of Margaret's file?

Steve

Posted 2015-01-24T14:58:15.800

Reputation: 3

Answers

0

Your files/books/ directory does not grant +x (traverse) to group:user.

For directories, +r lets you list the contents (file names), but +x is needed to actually descend into the directory (therefore it is needed on all parents all the way to /).

user1686

Posted 2015-01-24T14:58:15.800

Reputation: 283 655

Asked: 2015-01-24T14:58:15.800

Viewed: 100 times

Active: 2015-01-24T15:06:42.610