How do I set inheritance on a folder with sub folders?

[opethdisciple]

This has been a little bit of an issue for a few years now and I've never been able to solve it.

We managed groups using LDAP. We can also set extended acl's using setfacl.

This is the scenario and problem.

Condition Reports folder has registrar group (rwx) on it and the group gets those privileges.

I can set an extended acl on the directory and use the -R switch to give user:lucy:rwx on the directory and subfolders.

If a member of the registrar group makes a change to a file or folder within the condition reports folder the extended acl for lucy seems to get stripped, meaning user:lucy no longer has access.

How do I set inheritance on the directory so that if a member of the group registrar makes a change the extended acl set for user:lucy is retained, without having to reset the privilege manually every time a change is made?

Thanks

 

[memyselfandi]

I think that you need to set a default ACL which is different from setting the ACL recursively on the directory

From some course notes for RHEL7

Controlling default ACL file permissions

A directory can have default ACLs set on it that are automatically inherited by all new files and new subdirectories. There can be default ACL permissions set for each of the standard ACL settings, including a default mask.

A directory still requires standard ACLs for access control because default ACLs do not implement access control for the directory; they only provide ACL permission inheritance support.

An example:

$ [B]setfacl -m d:u:[I]name[/I]:rx [I]directory[/I][/B]

This adds a default named user (d:u:name) with read-only permission and execute permission on subdirectories.

The setfacl command for adding a default ACL for each of the ACL types is exactly the same as for standard ACLs, but prefaced with d:. Alternatively, use the -d option on the command line.

Important

When setting default ACLs on a directory, ensure that users will be able to access the contents of new subdirectories created in it by including the execute permission on the default ACL.

Users will not automatically get the execute permission set on newly created regular files because unlike new directories, the ACL mask of a new regular file is rw-.


Note

New files and new subdirectories continue to get their owner UID and primary group GID values set from the creating user, except when the parent directory setgid flag is enabled, in which case the primary group GID will be the same as the parent directory GID.


Deleting default ACLs

Deleting a default ACL is also the same as deleting a standard ACL; again, preface with d:, or use the -d option.

$ [B]setfacl -x d:u:[I]name[/I] [I]directory[/I][/B]

This removes the default ACL that was added in the previous example.

To delete all default ACLs on a directory, use setfacl -k /directory. To delete ALL ACLs on a directory, use setfacl -b /directory.

But I would note that I haven't had to use ACL's in the wild for quite some time

 

[Samanthap.]

I think you are right.

iriver, tech, hellgate, Epic Seven Tier List, apps like appvalley, free nfl streaming sites, YouTube to MP3 320kbps live tv streaming sites