Unix & Linux Stack Exchange
Q&A for users of Linux, FreeBSD and other Unix-like operating systems
Latest Questions
0
votes
3
answers
2618
views
Directory listing when using setfacl ACL
I use setfacl command to grant read permission for reading files in directory, but I cant use ls to view files. I tried setfacl -Rdm g:grouptoadd:rx /path/directory/ but, I can read files (when I use direct path to file for example "/path/directory/myfile) and can't list directory (ls /path/director...
I use setfacl command to grant read permission for reading files in directory, but I cant use ls to view files. I tried
setfacl -Rdm g:grouptoadd:rx /path/directory/
but, I can read files (when I use direct path to file for example "/path/directory/myfile) and can't list directory (ls /path/directory/)
grU
(11 rep)
Mar 17, 2021, 10:22 AM
• Last activity: Jul 24, 2025, 12:05 PM
2
votes
1
answers
3797
views
Nfs4_setfacl reports error on files of mounted folder
I mounted an nfsv4 folder (both client and server are CentOS 7.4) via command $ sudo mount -t nfs -o v4.0,sec=krb5 ark-centos7-ker.qa.arkivio.com:/export/nfs1 /nfs4-mnt-dir created a file via: `touch 11`, then set file's ACL get failed with command $ sudo nfs4_setfacl -a A::auto-stor@qa.arkivio.com:...
I mounted an nfsv4 folder (both client and server are CentOS 7.4)
via command
$ sudo mount -t nfs -o v4.0,sec=krb5 ark-centos7-ker.qa.arkivio.com:/export/nfs1 /nfs4-mnt-dir
created a file via:
touch 11, then set file's ACL get failed with command
$ sudo nfs4_setfacl -a A::auto-stor@qa.arkivio.com:rxtncy /nfs4-mnt-dir/11
[sudo] password for auto-stor@qa.arkivio.com:
Failed setxattr operation: Invalid argument
it seems complaining the parameter auto-stor@qa.arkivio.com is invalid,
but this user is already recognized by both nfs4 client and server.
$ getent passwd auto-stor@qa.arkivio.com
auto-stor@qa.arkivio.com:*:1712401226:1712400513:auto-stor:/home/auto-stor@qa.arkivio.com:/bin/bash
$ id auto-stor@qa.arkivio.com
uid=1712401226(auto-stor@qa.arkivio.com) gid=1712400513(domain users@qa.arkivio.com) groups=1712400513(domain users@qa.a rkivio.com),10(wheel),1712439592(autostoradmins@qa.arkivio.com),1712439438(certsvc_dcom_access@qa.arkivio.com),171243989 6(passwordpropdeny@qa.arkivio.com),1712400512(domain admins@qa.arkivio.com),1712439802(ats_steph_testgroup@qa.arkivio.co m)
What is missing in my configuration?
xq10907
(95 rep)
Mar 6, 2018, 01:42 AM
• Last activity: Jun 11, 2025, 11:09 AM
0
votes
1
answers
73
views
use setfacl to remove a users access to a directory?
So here is something I could not find any reference to, I have this user, user_A, I want to remove its access to this directory entirely /log/dirA As far as I understand, chmod is used to modify the access in this order user/group/others. Others is general and does not care who this is, just anyone...
So here is something I could not find any reference to, I have this user, user_A, I want to remove its access to this directory entirely /log/dirA
As far as I understand, chmod is used to modify the access in this order user/group/others.
Others is general and does not care who this is, just anyone other than the user, while not a member of group will be "other(s)", so I don't want to mess with other users access to this path, but I want to limit user_A from accessing it.
Does **setfacl** work for directories too? because I used this command, which I think should deny read/write/execute access of the mentioned Directory to the user_A, but the user is still able to cd into the mentioned dir. Does setfacl apply only to files??
Command:
setfacl -Rdm u:user_A:--- /log/dirArwxr-xr-x+ 3 Mainuser Mainuser 19 Apr 17 2018 dirA# file: dirA/
# owner: Mainuser
# group: Mainuser
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:user_A:---
default:group::r-x
default:mask::r-x
default:other::r-x
Navid Taghavi
(25 rep)
May 19, 2025, 08:45 AM
• Last activity: May 19, 2025, 02:58 PM
1
votes
1
answers
2300
views
setting correct default permissions on directories and files created by sftp user in same group
In my folder `/var/www/storage/app/uploads/public` I have a lot of subdirectories that are made by my website CMS and sftpupload script from a remote server. Now the problem I'm facing arises from the sftp upload created directories. [![improper permissions][1]][1] The owner is sftpuser and there is...
In my folder 
The owner is sftpuser and there is no write permission on that directory for my www-data user to create a subdirectory.
This causes my www-data user php script to spew out
> Backtrace from 'mkdir(): Permission denied' at /var/www/install-master/vendor/laravel/framework/src/Illuminate/Filesystem/Filesystem.php 336:
If I check the acl permissions on the parent directories from when I first set it to be group writable first, the topmost directory has correct acl permissions.
But the second level, created by sftp doesn't have these
I found this question , but not really a useful answer except that sftp ignores acls.
I have tried setting the umask bit for sftp in /etc/ssh/sshd_config
but even that didn't have an effect on the newly created directory. Still not writable for group.
How do I use sftp to give browse and create subdirectories permissions to newly created folders for owner and group, read and write permissions for owner and group, but not execute permissions on the files in those subdirectories?
Or should I use a different approach? As I understand it, sftp has only limited options on changing file permissions from the remote side, and acl are aparently ignored by openssh sftp.
So how do I get these proper permissions running on ubuntu 18.04 with an sftpuser?
/var/www/storage/app/uploads/public I have a lot of subdirectories that are made by my website CMS and sftpupload script from a remote server.
Now the problem I'm facing arises from the sftp upload created directories.
The owner is sftpuser and there is no write permission on that directory for my www-data user to create a subdirectory.
This causes my www-data user php script to spew out
> Backtrace from 'mkdir(): Permission denied' at /var/www/install-master/vendor/laravel/framework/src/Illuminate/Filesystem/Filesystem.php 336:
If I check the acl permissions on the parent directories from when I first set it to be group writable first, the topmost directory has correct acl permissions.
But the second level, created by sftp doesn't have these
I found this question , but not really a useful answer except that sftp ignores acls.
I have tried setting the umask bit for sftp in /etc/ssh/sshd_config
but even that didn't have an effect on the newly created directory. Still not writable for group.
How do I use sftp to give browse and create subdirectories permissions to newly created folders for owner and group, read and write permissions for owner and group, but not execute permissions on the files in those subdirectories?
Or should I use a different approach? As I understand it, sftp has only limited options on changing file permissions from the remote side, and acl are aparently ignored by openssh sftp.
So how do I get these proper permissions running on ubuntu 18.04 with an sftpuser?
Tschallacka
(163 rep)
Aug 6, 2019, 09:19 AM
• Last activity: May 12, 2025, 10:03 PM
2
votes
1
answers
2026
views
User has no effective access when using setfacl -d
I have a directory that I would like to share with two specific users. It has no contents yet, but I need all three of us to be able to add files and subdirectories, and it's important that all contents (by default at least) inherit the same permissions. The three of us get full access--nobody else...
I have a directory that I would like to share with two specific users. It has no contents yet, but I need all three of us to be able to add files and subdirectories, and it's important that all contents (by default at least) inherit the same permissions. The three of us get full access--nobody else gets anything.
I thought I'd accomplished this goal with:
setfacl -m u:myfriend:rwx Directory
setfacl -d -m u:myfriend:rwx Directory$$$ getfacl TESTFILE
# file: TESTFILE
# owner: me
# group: me
user::rw-
user:myfriend:rwx #effective:---
group::---
mask::---
other::---$$$ getfacl .
# file: .
# owner: me
# group: me
user::rwx
user:myfriend:rwx
group::---
mask::rwx
other::---
default:user::rwx
default:user:myfriend:rwx
default:group::---
default:mask::rwx
default:other::---
Alexander Brooks
(29 rep)
Jun 30, 2020, 04:10 PM
• Last activity: May 9, 2025, 07:02 AM
0
votes
1
answers
71
views
FTP unable to write to a mounted drive
I'm using Mint Linux 22.1 and vsftpd on the destination computer and Windows 11 (latest version) as the source computer. I have the following permissions. In my home directory I have a symlink to a mounted NTFS drive: [![enter image description here][1]][1] The permissions to the mounted NTFS drive'...
I'm using Mint Linux 22.1 and vsftpd on the destination computer and Windows 11 (latest version) as the source computer.
I have the following permissions. In my home directory I have a symlink to a mounted NTFS drive:
The permissions to the mounted NTFS drive's directories are:
I have added FACL permissions to each directory making todd an owner of each directory (also did a chown from root to todd in a separate, unsuccessful attempt). **Upon further investigation it appears the setfacl didn't actually do anything (apparently due to the file system being NTFS). So, now the question becomes why didn't the chown where I set my user account as owner solve the problem?**
I have set 
EDIT 2: The vsftpd.log file entry for an attempt to upload is as follows:
Sat Apr 26 16:33:42 2025 [pid 6734] CONNECT: Client "::ffff:192.168.40.161"
Sat Apr 26 16:33:42 2025 [pid 6733] [todd] OK LOGIN: Client "::ffff:192.168.40.161"
Sat Apr 26 16:33:42 2025 [pid 6736] [todd] FAIL DELETE: Client "::ffff:192.168.40.161", "/media/todd/NTFS_PARTITION_2TB/backups/DumpStack.log"
EDIT 3: I converted the drive from NTFS to EXT4 and it works now! Thanks everyone.
The permissions to the mounted NTFS drive's directories are:
I have added FACL permissions to each directory making todd an owner of each directory (also did a chown from root to todd in a separate, unsuccessful attempt). **Upon further investigation it appears the setfacl didn't actually do anything (apparently due to the file system being NTFS). So, now the question becomes why didn't the chown where I set my user account as owner solve the problem?**
I have set write_enable=YES in the /etc/vsftpd.conf file
When I try accessing the symlink using Windows 11's file explorer: ftp://todd@192.168.40.77/NTFS2TB/backups/
I can see files and directories within the NTFS2TB directory, but I cannot upload any files into it.
What do I need to do to enable uploading files to the Linux computer's backups directory from Windows 11?
EDIT: Showing the filesystem of NTFS2TB is NTFS
EDIT 2: The vsftpd.log file entry for an attempt to upload is as follows:
Sat Apr 26 16:33:42 2025 [pid 6734] CONNECT: Client "::ffff:192.168.40.161"
Sat Apr 26 16:33:42 2025 [pid 6733] [todd] OK LOGIN: Client "::ffff:192.168.40.161"
Sat Apr 26 16:33:42 2025 [pid 6736] [todd] FAIL DELETE: Client "::ffff:192.168.40.161", "/media/todd/NTFS_PARTITION_2TB/backups/DumpStack.log"
EDIT 3: I converted the drive from NTFS to EXT4 and it works now! Thanks everyone.
Todd
(101 rep)
Apr 26, 2025, 08:38 PM
• Last activity: Apr 28, 2025, 10:28 PM
1
votes
0
answers
546
views
ACL always sets group execute permissions on files (Samba)
I have some users in the "sambashare" group and some in the "sambashareAdmin" group. Only users from the "sambashareAdmin" group are alowed to change/create stuff. All files should belong to haegarthehorrible:sambashare. No matter if I create them on the server or if I move/copy them to the server....
I have some users in the "sambashare" group and some in the "sambashareAdmin" group.
Only users from the "sambashareAdmin" group are alowed to change/create stuff.
All files should belong to haegarthehorrible:sambashare.
No matter if I create them on the server or if I move/copy them to the server.
The problem is that all files get execute permissions on the group (670/-rw-rwx---) and not 660/-rw-rw----
if the Windows workstation user (paradise) does it.
I tried "obey pam restrictions" with yes and no in samba what makes no difference.
I also tried "create mask" and "directory mask" or "force create mode and "force directory mode"
or both together.
I tried chmod g+s and g+s,u+s.
I tried complicated stuff like:
~$ sudo chmod -R a-x,u=rX,g=rX,u+w,g+w /mnt/pool/Share/Backup
~$ sudo chmod -R a-x,u=rwX,g=rwX /mnt/pool/Share/Backup
And also funny ist that if I use "rwX" instead of "rw" (chmod or setfacl) I get execute on the owner permissions.
I thought X does only set it on directories?
So here is what now looks really complicated and still does not work. Remember this are all directories that already have files/directories in it.
~$ sudo nano /etc/samba/smb.conf
[global]
server string = Harvester
server role = standalone server
server min protocol = SMB2
workgroup = WORKGROUP
interfaces = lo enp0s31f6
bind interfaces only = yes
logging = file
log file = /var/log/samba/log.%m
max log size = 1000
load printers = no
show add printer wizard = no
disable netbios = yes
dns proxy = no
deadtime = 30
smb ports = 445
smb encrypt = off
security = user
obey pam restrictions = yes
panic action = /usr/share/samba/panic-action %d
use sendfile = yes
directory mask = 2750
create mask = 0640
access based share enum = yes
map to guest = bad user
guest account = shareguest
[Backup]
path = /mnt/pool/Share/Backup
guest ok = no
browseable = no
create mask = 0660
directory mask = 2770
force group = sambashare
force user = haegarthehorrible
write list = @sambashareAdmin
valid users = haegarthehorrible paradise
inherit acls = Yes
Set Permissions:
~$ sudo chown -R haegarthehorrible:sambashare /mnt/pool/Share/Backup
~$ sudo setfacl -R -b -k -n /mnt/pool/Share/Backup # Remove ACL
~$ sudo chmod -R g+s,u+s /mnt/pool/Share/Backup
~$ sudo chmod 0770 /mnt/pool/Share/Backup
~$ sudo find /mnt/pool/Share/Backup -type f -exec chmod 660 {} \;
~$ sudo find /mnt/pool/Share/Backup -type d -exec chmod 2770 {} \;
~$ sudo setfacl -R -d -m u::rw,g::rw,u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup # ACL for new items
~$ sudo setfacl -R -m u:haegarthehorrible:rw,g:sambashareAdmin:rw /mnt/pool/Share/Backup # ACL for old/existing items
sambashareAdmin Members:
~$ members sambashareAdmin
haegarthehorrible paradise
sambashare Members:
~$ members sambashare
shareguest watcher
Share Root Folder Permissions:
~$ ls -ld /mnt/pool/Share
drwxr-xr-x 7 root root 4096 Aug 7 2023 /mnt/pool/Share
~$ stat /mnt/pool/Share
Access: (0755/drwxr-xr-x) Uid: (0/root) Gid: (0/root)
~$ getfacl /mnt/pool/Share
# file: mnt/pool/Share
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
Share Permissions:
~$ ls -ld /mnt/pool/Share/Backup
drwsrws---+ 5 haegarthehorrible sambashare 4096 Apr 25 2022 /mnt/pool/Share/Backup
~$ stat /mnt/pool/Share/Backup
Access: (6770/drwsrws---) Uid: (1000/haegarthehorrible) Gid: (996/sambashare)
~$ getfacl /mnt/pool/Share/Backup
# file: mnt/pool/Share/Backup
# owner: haegarthehorrible
# group: sambashare
# flags: ss-
user::rwx
group::rwx
other::---
default:user::rw-
default:user:haegarthehorrible:rw-
default:group::rw-
default:group:sambashareAdmin:rw-
default:mask::rw-
default:other::---
File Permissions:
~$ ls -l /mnt/pool/Share/Backup/Test.txt
-rw-rwx---+ 1 haegarthehorrible sambashare 0 Feb 11 07:18 /mnt/pool/Share/Backup/Test.txt
~$ stat /mnt/pool/Share/Backup/Test.txt
Access: (0670/-rw-rwx---) Uid: (1000/haegarthehorrible) Gid: (996/sambashare)
~$ getfacl /mnt/pool/Share/Backup/Test.txt
# file: mnt/pool/Share/Backup/Test.txt
# owner: haegarthehorrible
# group: sambashare
user::rw-
user:haegarthehorrible:rw-
group::rw-
group:sambashare:rw-
group:sambashareAdmin:rw-
mask::rwx
other::---
MrGlasspoole
(111 rep)
Feb 11, 2024, 08:24 AM
0
votes
0
answers
41
views
Setfacl not working only one file
I have set a face for the SSL folder in the Rocky Linux distro. The folder has default rx for my custom user. But when new SSL & key files are created. Certificate files have proper rights, but the key file does not. So I have a problem accessing the key file. This is the result of getfacl for the f...
I have set a face for the SSL folder in the Rocky Linux distro. The folder has default rx for my custom user. But when new SSL & key files are created. Certificate files have proper rights, but the key file does not. So I have a problem accessing the key file.
This is the result of getfacl for the folder where the SSL & key are stored.
getfacl /usr/local/directadmin/data/users/xyz/domains/
# file: usr/local/directadmin/data/users/xyz/domains/
# owner: diradmin
# group: diradmin
user::rwx
user:myuser:r-x
group::--x
mask::r-x
other::--x
default:user::rwx
default:user:myuser:r-x
default:group::--x
default:mask::r-x
default:other::--x
This is the result for the newly created .key file inside that folder.
getfacl /usr/local/directadmin/data/users/xyz/domains/example.com.key
# file: usr/local/directadmin/data/users/xyz/domains/example.com.key
# owner: diradmin
# group: access
user::rw-
group::r--
other::---
doraemon
(111 rep)
Oct 22, 2023, 06:54 PM
• Last activity: Oct 22, 2023, 07:01 PM
0
votes
1
answers
68
views
linux ls -l ACL +, . , gap How to make gap
```ls -l drwxr-xr-x+ 4 root root 4096 Sep 21 04:00 test << + drwxrwxrwt. 10 root root 250 Sep 21 04:03 tmp drwxr-xr-x. 12 root root 144 Sep 19 03:42 usr << . drwxr-xr-x. 20 root root 278 Sep 19 03:52 var drwxr-xr-x 20 root root 278 Sep 19 03:52 test1 <<<why ``` if there is a ACL setting value = " +...
-l
drwxr-xr-x+ 4 root root 4096 Sep 21 04:00 test << +
drwxrwxrwt. 10 root root 250 Sep 21 04:03 tmp
drwxr-xr-x. 12 root root 144 Sep 19 03:42 usr << .
drwxr-xr-x. 20 root root 278 Sep 19 03:52 var
drwxr-xr-x 20 root root 278 Sep 19 03:52 test1 <<
박용원
(3 rep)
Sep 26, 2023, 05:31 AM
• Last activity: Sep 26, 2023, 06:23 AM
0
votes
0
answers
76
views
Misunderstanding about linux permisions, groups
Recently i have desided to create autobackups from my host to a little backup server by using ssh + rsync. I have created separate user for this task "backuppc", have created "shared group", and have changed mountpoint for my data from main user home folder to /data. So, now it looks like /data{Medi...
Recently i have desided to create autobackups from my host to a little backup server by using ssh + rsync.
I have created separate user for this task "backuppc", have created "shared group", and have changed mountpoint for my data from main user home folder to /data. So, now it looks like /data{Media, Work} and etc.
Then i have tried to set "correct permissions" for my opinion. First, i add my main user "serg" and user for backupp task "backuppc" to shared group. I have changed permissions for shared folders to something like this:
# file: data/Media/
# owner: serg
# group: shared
# flags: -s-
user::rwx
group::rwx
other::---
default:user::rwx
default:group::rwx
default:group:shared:rwx
default:mask::rwx
default:other::---
"Correct permissions" i see something like this: group of backup resources should be "shared", it should have read and write permissions, and "other" should not have any permission. I have changed default mask and mask by setfacl utility, set sticky bit for inheriting attributes from parent folder.
After all this steps, i thought that when i copy/move any file from my home directory, which have different group owner, to my "/data" resources, group will be overwritten by "shared" group and will get read and write permissions.
However, when i copy or move file with another group owner it still same and not inherit default mask of shared resources. Even when i try to save any file from firefox to shared resources folders it gets only read permissions for shared group. But default mask for group is "rwx". I understand, that i can use umask, but i think that is too difficult for this simple task.
Now i thing that something is wrong with my backup idea. Maybe i misunderstand something, could you give my some advice? I just want, that any file which will be placed/copy/moved in shared resources inherit "shared" group "rwx" permission. Or maybe i should do this in another way? Thank you.
PS For changing permissions i have used setfacl utility, chown and chmod.
chown -R :shared /data/Media
Now, i set sticki bit and set read, write and execute permissions for directory.
chmod -R g+swrx /data/media
Next, i have used setfacl for set default permissions for group:
setfacl -R -dm "g:shared:rwx" /data/Media
PS Here ls -ld output
drwxrws---+ 15 serg shared 4096 авг 16 22:21 /data/Media/
One
(13 rep)
Aug 16, 2023, 06:46 PM
• Last activity: Aug 17, 2023, 05:39 PM
0
votes
1
answers
735
views
How can I give another user read/write access to a specific sub folder and the ability to ls the tree but only for the folder they have access to?
I have a user `user1` that has a bunch of folders in their home directory, including `/home/user1/data/special/files`. I have another user `user2`. I want: - `user2` to be able to read/write files/folders in `/home/user1/data/special/files` - `user2` to be able to `ls`: - `/` and see `/home` - `/hom...
I have a user
user1 that has a bunch of folders in their home directory, including /home/user1/data/special/files.
I have another user user2.
I want:
- user2 to be able to read/write files/folders in /home/user1/data/special/files
- user2 to be able to ls:
- / and see /home
- /home and see /home/user1
- /home/user1 and see /home/user1/data but not other files/folders in /home/user1
- /home/user1/data and see /home/user1/data/special but not other files/folders in /home/user1/data
- /home/user1/data/special and see /home/user1/data/special/files but not other files/folders in /home/user1/data/special
I used setfacl to set permissions to /home/user1/data/special/files but it does not let them browse the path.
sudo setfacl -Rm d:u:user1:rwx,u:user1:rwx /home/user1/data/special/filesuser1.
If it helps, here are more specific details.
I'm using a web app/service running on this box. The web app/service is running as user2. In the web app/service, I have to browse/navigate to a folder with the files I want to see. So I have to go to:
1. / then
2. /home then
3. /home/user1 then
4. /home/user1/data then
5. /home/user1/data/special then
5. /home/user1/data/special/files
I cannot just enter /home/user1/data/special/files.
Is this possible?
IMTheNachoMan
(433 rep)
Jul 14, 2023, 03:17 AM
• Last activity: Jul 14, 2023, 04:53 AM
1
votes
1
answers
1763
views
How to setfacl on a directory and all its parents?
Let's say we have the following directory structure ``` a b1 c1 c2 b2 c3 c4 ``` And I want to use setfacl to give a user frank access to c1, I can do something like ```setfacl -m u:frank:rX a/b1/c1``` However this doesn't give him access to a and b1 automatically. The -R option does solve this becau...
Let's say we have the following directory structure
a
b1
c1
c2
b2
c3
c4-m u:frank:rX a/b1/c1
DrizzleX
(125 rep)
May 25, 2023, 03:47 PM
• Last activity: May 26, 2023, 06:38 AM
0
votes
0
answers
230
views
Setfacl in folders working but in files don't work correctly
I have a file server running Samba 4.9 in Debian 11 the share folders is working. I used setfacl for subgroups, so i had conclusion was confused and not working. So i used setfacl for each user, in fact worked but just to folders, if create a document defined to just read to another user, he get fol...
I have a file server running Samba 4.9 in Debian 11 the share folders is working.
I used setfacl for subgroups, so i had conclusion was confused and not working.
So i used setfacl for each user, in fact worked but just to folders, if create a document defined to just read to another user, he get folder access but seem empty. If i to give getfacl command show the user have read rights.
Anyone can explain for me, what to need to do?
I settings the share folder as show below:
mkdir /srv/shared
chown root.group1 /srv/shared
chmod -R 770 /srv/shared
setfacl -m u:user1:rwx shared
setfacl -m u:user2:rx shared
setfacl -m g:group1:rx shared
setfacl -m g::--- shared
setfacl -m d:u:user1:rwx shared
setfacl -m d:u:user2:rx shared
setfacl -m d:g:group1:rx shared
setfacl -m d:g::--- shared
José Ricardo Ganiko
(29 rep)
May 10, 2023, 06:02 PM
• Last activity: May 10, 2023, 07:37 PM
1
votes
1
answers
189
views
Reverse setfacl without sudo or root
I have used command `sudo setfacl -R -m u:ubuntu:rwx ..` Unfortunately, by mistake on root directory, stopped it in a middle, but to late. I hoped to revere it by using `sudo setfacl -bR /` however now I believe I lost sudo access. ubuntu@oracle-free-vm: ~ $ sudo setfacl -bR / sudo: /etc/sudo.conf i...
I have used command
sudo setfacl -R -m u:ubuntu:rwx ..
Unfortunately, by mistake on root directory, stopped it in a middle, but to late.
I hoped to revere it by using sudo setfacl -bR / however now I believe I lost sudo access.
ubuntu@oracle-free-vm: ~ $ sudo setfacl -bR /
sudo: /etc/sudo.conf is group writable
sudo: /etc/sudo.conf is group writable
sudo: error in /etc/sudo.conf, line 0 while loading plugin "sudoers_policy"
sudo: /usr/libexec/sudo/sudoers.so must be only be writable by owner
sudo: fatal error, unable to load plugins
This is a free instance on Oracle cloud, so I have no direct access to the system. I'm having trouble with su - as I can't seem to know the password for root account, it might be disabled.
Is there any way to reverse changes made by setfacl or get to root to run a fix command?
Or have I just lost all work and need to do reinstall?
Leszek J.
(11 rep)
Apr 6, 2023, 10:29 AM
• Last activity: Apr 6, 2023, 11:34 AM
0
votes
0
answers
112
views
Restrict access to web directory using acl
The requirement is to allow a specific user (e.g. someuser) full access to a directory (e.g. /var/www/html/someproject) via SSH/SFTP, but not allow browsing anywhere else. Is it possible using only ACL? --- I tried setting ACL like this: ``` setfacl -m u:someuser:--- /* # no access to directories un...
The requirement is to allow a specific user (e.g. someuser) full access to a directory (e.g. /var/www/html/someproject) via SSH/SFTP, but not allow browsing anywhere else.
Is it possible using only ACL?
---
I tried setting ACL like this:
setfacl -m u:someuser:--- /* # no access to directories under root
setfacl -m u:someuser:x /var
setfacl -m u:someuser:x /var/www
setfacl -m u:someuser:x /var/www/html
setfacl -R -m u:someuser:rwx /var/www/html/someprojectCannot initialize SFTP protocol. Is the host running an SFTP server?
Arn
(1 rep)
Jan 5, 2023, 07:13 AM
• Last activity: Jan 5, 2023, 07:33 AM
0
votes
1
answers
535
views
Accessing a file in another users home directory using setfacl
I was trying to access a file on another users home directory using acl. I have tried to do it the following way. User k9 made a file test.file and ran setfacl -m u:sai:rwx test.file. Following is the getfacl output. k9@xxxx:~$ getfacl test.file # file: test.file # owner: k9 # group: k9 user::rw- us...
I was trying to access a file on another users home directory using acl. I have tried to do it the following way.
User k9 made a file test.file and ran
setfacl -m u:sai:rwx test.file.
Following is the getfacl output.
k9@xxxx:~$ getfacl test.file
# file: test.file
# owner: k9
# group: k9
user::rw-
user:sai:rwx
group::rw-
mask::rwx
other::r--
And from user sai I tried accessing this file
sai@xxxx:~$ ls /home/k9/
ls: cannot open directory '/home/k9/': Permission denied
sai@xxxx:~$ ls /home/k9/test.file
ls: cannot access '/home/k9/test.file': Permission denied
Can we use setfacl to access test.file without having complete access to /home/k9/ ? If so what am I doing wrong and if not how can that be done?
gst1502
(101 rep)
Oct 21, 2022, 10:17 AM
• Last activity: Oct 21, 2022, 10:20 AM
1
votes
0
answers
47
views
Permission Error
I have installed bash shell in windows 10 to run linux commands. I am trying to execute a script which gives error "You do not have permission to edit". I have executed command "chmod 777 script4". Still the script does not execute. Now I am trying to run command "setfacl -m u:harpreet:rwx script4"...
I have installed bash shell in windows 10 to run linux commands. I am trying to execute a script which gives error "You do not have permission to edit". I have executed command "chmod 777 script4". Still the script does not execute. Now I am trying to run command "setfacl -m u:harpreet:rwx script4" which gives error "operation not supported". Please help.
harpreet
(5 rep)
Sep 21, 2022, 10:44 AM
0
votes
1
answers
685
views
How to restrict read access to directory for specific user in centos?
So here is the deal, I create directory `/home/accounting`, I have users `donna` and `mike` and I want to restrict read privileges for them to this directory. After going to Google I was able to find how to change permissions by `chmod` for my user and my group, but I was not really able to find how...
So here is the deal, I create directory
/home/accounting, I have users donna and mike and I want to restrict read privileges for them to this directory.
After going to Google I was able to find how to change permissions by chmod for my user and my group, but I was not really able to find how I can specify user in that command.
Then I found the setfacl command, but not sure if it enables permission or not, for example these two commands::
setfacl -R -m u:donna:r /home/accounting
setfacl -R -m u:mike:r /home/accounting
Is this correct? Or there is another way of revoking read access?
Sydnel
(1 rep)
Aug 8, 2022, 11:33 AM
• Last activity: Aug 19, 2022, 05:15 PM
3
votes
1
answers
99
views
ls throws errors when trying to access directory guarded with ACL
I have setup a directory and some files with setfacl. ```` jobq@workstation:~/Pool$ getfacl /etc/jobq getfacl: Removing leading '/' from absolute path names # file: etc/jobq # owner: root # group: jobq user::rwx user:jobq:rw- group::r-x group:jobq:rwx mask::rwx other::r-x jobq@workstation:~/Pool$ su...
I have setup a directory and some files with setfacl.
`
jobq@workstation:~/Pool$ getfacl /etc/jobq
getfacl: Removing leading '/' from absolute path names
# file: etc/jobq
# owner: root
# group: jobq
user::rwx
user:jobq:rw-
group::r-x
group:jobq:rwx
mask::rwx
other::r-x
jobq@workstation:~/Pool$ sudo getfacl /etc/jobq/log.txt
getfacl: Removing leading '/' from absolute path names
# file: etc/jobq/log.txt
# owner: root
# group: jobq
user::rw-
group::rw-
group:jobq:rwx
mask::rwx
other::r--
jobq@workstation:~/Pool$ groups
jobq`
ls -al /etc/jobq`
ls: cannot access '/etc/jobq/log.txt': Permission denied
total 0
d????????? ? ? ? ? ? .
d????????? ? ? ? ? ? ..jobq is in the group jobq, they should have access to the directory. What am I misunderstanding? How can I fix this?
infinitezero
(207 rep)
Jun 21, 2022, 06:29 AM
• Last activity: Jun 21, 2022, 06:44 AM
1
votes
1
answers
715
views
setfacl -m works but setfacl -x does not work
I have the following code in a bash file: ```` sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_submit sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server_stop sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server_start sudo setfacl -m g:jobq:x /usr/...
I have the following code in a bash file:
`
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_submit
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server_stop
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_server_start
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_status
sudo setfacl -m g:jobq:x /usr/local/sbin/jobq_stop
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_submit
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_server
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_server_stop
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_server_start
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_status
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_stop
sudo setfacl -x g:jobq:rw /usr/local/sbin/jobq_submit-m do not give an error message, but the lines with -x say
>setfacl: Option -x: Invalid argument near character 8
What is wrong here?
infinitezero
(207 rep)
Jun 20, 2022, 11:24 AM
• Last activity: Jun 20, 2022, 11:33 AM
Showing page 1 of 20 total questions