also sprach martin f krafft <[EMAIL PROTECTED]> [2004.10.26.1257 +0200]: > Instead of applying ACLs recursively, I would like to be able to say > that admin-a gets rwX rights to the directory group-a and all its > subdirectories and files.
This can be done with default ACLs. However, the user can override it, which should not be possible. E.g.: setfacl -d -m admin-a:rwx /home/group-a getfacl /home/group-a/student-1 # file: /home/group-a/student-1 # owner: student-1 # group: group-a user::rwx user:admin-a:rwx group::--- other::--- default:user::rwx default:user:admin-a:rwx default:group::--- default:mask::--- default:other::--- So far so good, admin-a has rwx rights on the directory and on all files that student-1 creates. However, student-1 can simply do chmod og= ~ and all the ACLs are void because the mask is zeroed. # file: /home/group-a/student-1 # owner: students-1 # group: group-a user::rwx user:admin-a:rwx #effective:--- group::--- mask::--- other::--- default:user::rwx default:user:admin-a:rwx default:group::--- default:mask::rwx default:other::--- Now, I could make the home directory be owned by root (or admin-a) and give student-1 access with ACLs, but then any file that the student creates would be owned by him/her and s/he could make it non-readable by the supervisor. Is there a way around this? Obviously, disabling access to chmod(1) and the like is not an option, at least not because they could compile their own anyway. How could I solve this challenge? -- Please do not CC me when replying to lists; I read them! .''`. martin f. krafft <[EMAIL PROTECTED]> : :' : proud Debian developer, admin, and user `. `'` `- Debian - when you have better things to do than fixing a system Invalid/expired PGP subkeys? Use subkeys.pgp.net as keyserver!
signature.asc
Description: Digital signature
