Restoring ACL using setfacl/getfacl? - unix

I recently removed my ACL because my professor needed to copy certain files. Now I know I should have just granted his user permissions instead of removing it all using 'setfacl -b .' on my home directory.
So the question is how do I recover or set a new ACL to my home directory using setfacl/getfacl?

You can't 'recover' what you discarded in the way of ACLs. If you know what you had set previously, you can reinstate those remembered ACLs anew, carefully.
Basic Permissions
On a Unix system, the most important criteria for you are the group and other ones - they are not directly affected by ACLs, but they control the access not governed by ACLs, and you must get them right too. You need to decide what is appropriate in your environment. For many corporate settings, allowing group and others read access on files, execute on programs, and read and search (execute) on directories is appropriate:
chmod 644 file
chmod 755 program
chmod 755 directory
If you are not supposed to let other people borrow your course work, you would nail things down so that group and others are not allowed in at all:
chmod 600 file
chmod 700 program
chmod 700 directory
Or you can mix and match; allow flexibility and open access to your home directory, but restrict people underneath that. In some circumstances, you might allow group or other only execute permission on a directory (and only read on a file). Then other people cannot access the file unless they know its name, and they can only read the file, not modify it or the directory that holds it.
Don't forget to use an appropriate umask setting so files are created with the correct permissions by default. For many people, a umask of 022 is appropriate; neither group members nor others can write to the file or directory, but they can read files or execute programs.
Using ACLs
None of this requires ACLs. If you want to provide controlled access to certain groups or users and not to others, then you need to ensure you have the appropriate base-level permissions set, and you can then effectively add permissions for selected users or groups on the files or directories you choose.
The Solaris 10 man page for setfacl says that the command syntax is:
setfacl [-r] -s acl_entries file
setfacl [-r] -md acl_entries file
setfacl [-r] -f acl_file file
This does not mention the '-b' option mentioned in the question, so you may be using a different platform. Note that the ACL controls was going to be POSIX 1e, but was never actually standardized, so different platforms implement slightly different variants on the commands.
The Solaris 10 man page then goes on to explain how to set the 'acl_entries' part of the description, with a note that the default part can only be applied to a directory, but the default values will be used for files in the directory.
ACL Entry Description
u[ser]::perms File owner permissions.
g[roup]::perms File group owner permissions.
o[ther]:perms Permissions for users other than
the file owner or members of file
group owner.
m[ask]:perms The ACL mask. The mask entry indi-
cates the maximum permissions
allowed for users (other than the
owner) and for groups. The mask is
a quick way to change permissions
on all the users and groups.
u[ser]:uid:perms Permissions for a specific user.
For uid, you can specify either a
user name or a numeric UID.
g[roup]:gid:perms Permissions for a specific group.
For gid, you can specify either a
group name or a numeric GID.
d[efault]:u[ser]::perms Default file owner permissions.
d[efault]:g[roup]::perms Default file group owner permis-
sions.
d[efault]:o[ther]:perms Default permissions for users other
than the file owner or members of
the file group owner.
d[efault]:m[ask]:perms Default ACL mask.
d[efault]:u[ser]:uid:perms Default permissions for a specific
user. For uid, you can specify
either a user name or a numeric
UID.
d[efault]:g[roup]:gid:perms Default permissions for a specific
group. For gid, you can specify
either a group name or a numeric
GID.
You will need to decide who, apart from your professor, needs access to files. Maybe your lab partner does; maybe the teaching assistants do; maybe your whole year (but not the years below you - those above you probably already know what you know). But without any more information about your requirements for protection, no-one can help you more. And generally, it is easy to get the ACLs wrong - use sparingly, if at all, and use the standard Unix permissions as your main access control.
And next time, I suggest simply allowing your professor in by adding (not erasing) ACLs - or asking him where he wants you to copy the files to (putting the onus on him to sort out the permissions issues), or copying the files into a directory such as $HOME/tmp/prof.jones with 711 permission on the directory, 644 permissions on the files, and tell him which files are there for him to copy.

Related

Wordpress theme edit file permission issue

You need to make this file writable before you can save your changes. See Changing File Permissions for more information
Make sure you've the correct permissions to edit the files in your FTP or File manager in Cpanel. You don't have any permissions to edit the required files. Let me explain what the File permission is and how to enable it.
What are file permissions?
This is a method of administering access rights to certain files of your site. There are 3 types of permissions, read, write, and execute. Each of these types can be defined per a certain user group. These include owner permissions, group permissions, and public permissions. Some host’s security settings do not have the ideal WordPress permissions set by default, you’ll have to add this yourself. You don’t need to worry about all these technical details. All you need to remember is the number: 666.
Changing file permissions in FTP
This is probably the quickest way of changing the file permissions for all of your template files in one swift command. Open up your favorite FTP client, navigate to your template directory (with style.css, index.php, etc.) and select all .php and .css files. Do not select images or subdirectories.
You can press CTRL + A to select them all, and click while holding CTRL to deselect items like images. After selecting the File Attributes option from the menu, you can change all the permissions to 666. You’ll notice the the group and public write permissions will automatically checked off.
After pressing OK all the permissions to the files you selected should be changed to -rw-rw-rw-. You should now be able to edit them via the theme editor.
Changing permissions in cPanel
You can also do this in cPanel, although not in bulk (for the version of cPanel I’m using anyway). Open up the file manager, navigate to the template directory (similar to FTP) and click on the file you want to change permissions for.
Change each one to 666, as before. This could be useful if you don’t have access to an FTP client, or just want to selectively make files writable.
You may see different sources telling you to set everything to 777, which gives everybody full permissions. I wouldn’t recommend this. Although it would work, it may open up security holes on your site. The 666 permissions are just enough for the text files you’ll be editing.
I have fixed this by a command :-
sudo chmod -R 777 "filepath"

Change write access permission of dataset in sas

I have few data sets whose write access needs to be transferred to another user.I am aware about chmod command, but if i am using that then i am giving write permission to all other users. I just want file owner write access be transferred or be given to another single user.
Instead of CHMOD, use CHOWN:
chown command changes the user and/or group ownership of for given file. The syntax is:
chown owner-user file
chown owner-user:owner-group file
chown owner-user:owner-group directory
chown options owner-user:owner-group file
Source: http://www.cyberciti.biz/faq/how-to-use-chmod-and-chown-command/
chmod allows you to grant file permissions to specific users via the use of Access Control Lists (ACLs). Without knowing more about your system it's difficult to advise on how to create one of these - e.g. Solaris is quite different from Linux in this regard.

Why does a new default directory have user executable permissions where as a new file only has user read and write permissions?

Noticed this when creating a new directory in unix, and was just curious as to why this is so.
Thanks
A new directory created by a user and owned by the user with full permissions is no big deal. However, a new file/program if executed accidentally or before configuration could have catastrophic results. So the designers decided to give you a layer of protection.
It also prevents other users from executing the file unless you specifically grant permission.
Because you need the executable permissions to naviguate into the directory.
So basic permissions allow user to read file (read file permission), and to access file in directory (directory execute permission).
Note that read permission on a folder allow user to list files in it. (But doesnt allow to read them unless execute permission is granted too as I said in the first place)
Basically, +x on a directory means that the user can 'execute it' hence change into it (replace user by group or other depending on position in permissions).
Hence drwxr--r-- means only user can change into directory. More here.
The directory needs to have executable permissions so you can do things such as cd into it. Also the executable permission lets you look into the directory for inode information of the files it contains.
More info can be found at this source.

Why do apache owned files get created by wordpress?

I get this problem now and then, where I use an FTP account given to me by the host and use them in Wordpress FTP. But for some reason when updating themes for example, the new theme gets created under apache/apache and not user/psacln user name/group. So at that point I can't delete or do anything with those files as I am under psacln group.
I would like to find out more about why this may happen to avoid this problem - any suggestions are welcome!
Thanks in advance.
When you upload files via the wordpess admin page (like themes) the httpd process running as the apache user is actually creating them on your system--hence why they are owned by the apache user. I suggest this options to work around this:
Add yourself and apache to a new group called 'wordpress'
Use to change group ownership of your wordpress to the new group
Use set the sgid permission bit and the group write permission to all directories in the wordpress docroot.
The setting of the sgid bit will make all files added to a directory be the same group owner.
Assuming you've added yourself and apache to the same group, here's the linux commands to setup the directories to ensure files get created writable to all in the wordpress group:
chown -R :wordpress /path/to/wordpress/docroot/
chmod -R g+w /path/to/wordpress/docroot/
find /path/to/wordpress/docroot/ -type d -print | while read i; do SAVEIFS=$IFS; IFS=$(echo -en "\n\b");chmod g+s $i; IFS=$SAVEIFS; done
Additional thing that may be needed:
If you see apache creating files with group permissions without write, you may need to change the default umask for the apache user for creation of new files. By default it should be owner and group write allowed, but I know some accounts (like root user) have the default umask set to be group read only.
because apache's worker children run under apache's userid, and a "common user" on a unix system cannot make files be owned by some OTHER user. Only the root account can "give away" ownership.
Why? It'd be trivial for a normal user to make a file owned by root, or owned by another user. If a given system was running with user quotas, this would allow a user to completely subvert the quotas, or deny someone else access by "giving" them a bunch of huge files and exceeding that user's quota.
If you need access to those files, regardless of the unix ownership, you could look into using POSIX acls, which exist above/beyond the unix permissions.

chmod 755 for directories - does this allow everyone to delete the folder?

Does the "execute" bit also mean "deletion" permissions, or do I need "write" permissions for that?
To remove a directory, the parent of that directory must be writable by the effective user. The write and execute flags of the directory being removed do not matter.
Additionally, one cannot remove a directory if it is not empty. Often a user will use the rm -r command to remove a non-empty directory tree recursively by first removing all its contents. If the user does not have write permission to the subdirectories, he/she cannot empty their contents first.
No, the 'execute' bit is used by directories to determine whether a 'user' can view the files listed in the directory. In regards to deletion the relevant bit is the 'write' permission bit of the parent directory.

Resources