009 "default" prefix (d:) problematic

[NobleKangaroo]

I believe adding the "default" (d:) flag to the ACL is incorrect; this results in the target user being unable to access the folder.

Creating a new directory /facl with 0700 (default /home directory permissions) then assigning the ACL as suggested:

[root@centos7 ~]# mkdir /facl
[root@centos7 ~]# chmod 0700 /facl
[root@centos7 ~]# ls -ld /facl
drwx------. 2 root root 6 Sep  9 18:46 /facl
[root@centos7 ~]# setfacl -R -m d:u:centos:rwx /facl
[root@centos7 ~]# getfacl /facl
getfacl: Removing leading '/' from absolute path names
# file: facl
# owner: root
# group: root
user::rwx
group::---
other::---
default:user::rwx
default:user:centos:rwx
default:group::---
default:mask::rwx
default:other::---

However when attempting to access the directory, the specified user cannot access it.

[centos@centos7 ~]$ cd /facl
-bash: cd: /facl: Permission denied
[centos@centos7 ~]$ touch /facl/test
touch: cannot touch ‘/facl/test’: Permission denied

This is likely due to the user (centos) not having write access already in place, but only on newly created files/directories. Adding u:centos:rwx without the preceding d: resolves this:

[root@centos7 ~]# setfacl -m u::rwx /facl
[root@centos7 ~]# getfacl /facl
getfacl: Removing leading '/' from absolute path names
# file: facl
# owner: root
# group: root
user::rwx
group::---
other::--x
default:user::rwx
default:user:centos:rwx
default:group::---
default:mask::rwx
default:other::---

Confirming access:

[centos@centos7 ~]$ cd /facl
[centos@centos7 /facl]$ ls -la
total 0
drwxrwx--x+  2 root root   6 Sep  9 18:46 .
dr-xr-xr-x. 18 root root 236 Sep  9 18:46 ..
[centos@centos7 /facl]$ touch x
[centos@centos7 /facl]$ ls -la
total 0
drwxrwx--x+  2 root   root    15 Sep  9 18:58 .
dr-xr-xr-x. 18 root   root   236 Sep  9 18:46 ..
-rw-rw----+  1 centos centos   0 Sep  9 18:58 x
[centos@centos7 /facl]$ getfacl x
# file: x
# owner: centos
# group: centos
user::rw-
user:centos:rwx                 #effective:rw-
group::---
mask::rw-
other::---

Resultant ACL: (note the additional user:centos:rwx)

[root@centos7 ~]# getfacl /facl
getfacl: Removing leading '/' from absolute path names
# file: facl
# owner: root
# group: root
user::rwx
user:centos:rwx
group::---
mask::rwx
other::--x
default:user::rwx
default:user:centos:rwx
default:group::---
default:mask::rwx
default:other::---

After removing all ACLs and starting anew, another way to do this in one fell swoop (if you must use the d: prefix) is:

[root@centos7 ~]# setfacl -b /facl
[root@centos7 ~]# getfacl /facl
getfacl: Removing leading '/' from absolute path names
# file: facl
# owner: root
# group: root
user::rwx
group::---
other::--x
[root@centos7 ~]# setfacl -R -m u:centos:rwx,d:u:centos:rwx /facl
[root@centos7 ~]# getfacl /facl
getfacl: Removing leading '/' from absolute path names
# file: facl
# owner: root
# group: root
user::rwx
user:centos:rwx
group::---
mask::rwx
other::--x
default:user::rwx
default:user:centos:rwx
default:group::---
default:mask::rwx
default:other::--x

[chlebik]

Thank you for the detailed issue.

I would gladly accept PR fixing that, if you're not up to it, I can do it on my own.

[NobleKangaroo]

You bet. I'll get one over to ya as soon as I can. Have a couple things to add in some other questions as well. Thanks for the compilation. It's pretty good material.

On September 11, 2022 6:27:10 AM EDT, "Michał Piotrowski" @.***> wrote:

Thank you for the detailed issue.

I would gladly accept PR fixing that, if you're not up to it, I can do it on my own.

-- Reply to this email directly or view it on GitHub: https://github.com/chlebik/rhcsa-practice-questions/issues/29#issuecomment-1242934300 You are receiving this because you authored the thread.

Message ID: @.***>

Regards,

Chris

Sent from my Android device with K-9 Mail. Please excuse my brevity.