brandon/oam
1
0
Fork 0
mirror of https://gitea.com/mcereda/oam.git synced 2026-02-09 05:44:23 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: better acl-related information in articles

Browse Source
This commit is contained in:
Michele Cereda
2023-09-17 19:07:40 +02:00
parent ee8147973f
commit bcd597f9ea
4 changed files with 75 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
.vscode/settings.json vendored
View File

@@ -126,6 +126,7 @@
"userspace",
"winget",
"wlan",
"xattr",
"zstd"
],
"markdown.extension.toc.levels": "2..6",

81
knowledge base/acl.md
View File

@@ -4,11 +4,17 @@
1. [TL;DR](#tldr)
1. [Set default permissions for files and directories](#set-default-permissions-for-files-and-directories)
1. [Posix](#posix)
1. [NFSv4](#nfsv4)
1. [Further readings](#further-readings)
## TL;DR
List of [permission tags][syntax descriptions for setting acls] and [inheritance options][acl inheritance].
When **setting** permissions, the _execute_ flag can be set to the **uppercase** `X` instead of the **lowercase** `x`.<br/>
The uppercase `X` permission allows execution only if the target is a directory or if the execute permission has already been set for the user or group.
BSD systems use NFSv4 ACLs by default in ZFS.
List of **NFSv4** [permission tags][syntax descriptions for setting acls] and [inheritance options][acl inheritance].
```sh
# Install the tool.
@@ -16,49 +22,86 @@ apt install 'acl'
dnf install 'acl'
# Show ACLs.
getfacl 'test/declarations.h'
getfacl 'path/to/file'
# Set permissions for users.
setfacl -m 'u:username:rwx' 'test/declarations.h'
setfacl -m 'u::r-x' 'path/to/file'
setfacl -m 'u::rwX' 'path/to/dir'
setfacl -m 'u:username:r-x' 'path/to/file'
setfacl -m 'u:username:rwX' 'path/to/dir'
# Add permissions for users.
# Position number starts from 0.
setfacl -a '1' 'u:username:rwx' 'test/declarations.h'
setfacl -a '5' 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/file'
setfacl -a '6' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
setfacl -a '1' 'u:username:rwx' 'path/to/file'
setfacl -a '2' 'u::rwX' 'path/to/dir'
setfacl -a '5' 'owner@:rw-p-daARWcCos::allow' 'path/to/file'
setfacl -a '6' 'owner@:rwxpDdaARWcCos::allow' 'path/to/dir'
# Set permissions for groups.
setfacl -m "g:groupname:r-x" 'test/declarations.h'
setfacl -m 'g::r-x' 'path/to/file'
setfacl -m 'g::rw-' 'path/to/dir'
setfacl -m 'g:username:r-x' 'path/to/file'
setfacl -m 'g:username:rwX' 'path/to/dir'
# Add permissions for groups.
# Position number starts from 0.
setfacl -a '2' 'g:groupname:r-x' 'test/declarations.h'
setfacl -a '7' 'group@:r--p--aAR-c--s:f------:allow' 'path/to/file'
setfacl -a '8' 'group@:r-xp--aAR-c--s:-d-----:allow' 'path/to/dir'
setfacl -a '2' 'g:groupname:r-x' 'path/to/file'
setfacl -a '4' 'g::rw-' 'path/to/dir'
setfacl -a '7' 'group@:r--p--aAR-c--s::allow' 'path/to/file'
setfacl -a '8' 'group@:r-xp--aAR-c--s::allow' 'path/to/dir'
# Add permissions for everyone else (others).
# Position number starts from 0.
setfacl -a '3' 'o::r-x' 'test/declarations.h'
setfacl -a '9' 'everyone@:r-----a-R-c---:f------:allow' 'path/to/file'
setfacl -a '10' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
setfacl -a '3' 'o::r-x' 'path/to/file'
setfacl -a '3' 'o::r-X' 'path/to/dir'
setfacl -a '9' 'everyone@:r-----a-R-c---::allow' 'path/to/file'
setfacl -a '10' 'everyone@:r-x---a-R-c---::allow' 'path/to/dir'
# Change multiple permissions in one command.
setfacl -m 'u::rw,g::r' 'path/to/file'
setfacl -m 'u::rwX,g::rwX,o::rx' 'path/to/dir'
# Make children files and directories inherit acls.
# A.K.A. sets default ACLs.
setfacl -d -m 'u:dummy:rw' 'test'
# A.K.A. set 'default' ACLs.
setfacl -dm 'u:dummy:rw' 'path/to/file'
setfacl -m 'default:u::rwX,g::rX,o:r' 'path/to/dir'
setfacl -a '11' 'group@:r-----a-R-c---:f------:allow' 'path/to/file'
setfacl -a '12' 'everyone@:r-x---a-R-c---:-d-----:allow' 'path/to/dir'
# Remove specific acls.
setfacl -x 'u:dummy:rw' 'test'
# Remove all ACL entries except for the ones synthesized from the file mode.
# If a 'mask' entry was in them, the resulting ACLs will be set accordingly.
setfacl -b 'test/declarations.h'
setfacl -b 'path/to/file'
```
## Set default permissions for files and directories
Suppose you want a folder to set the default permissions of newly created files and directories to `0664` (`-rw-rw-r--`) and `0775` (`drwxrwxr-x`) respectively.
Suppose you want a folder to set the default permissions of newly created files and directories to `0664` (`-rw-rw-r--`) and `0775` (`drwxrwxr-x`) respectively.<br/>
The best way to achieve this would be to set up it's ACLs accordingly.
The best way to achieve this would be to set up it's ACLs accordingly:
### Posix
| Who | ACL Type | Permissions | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
| ----- | -------- | -------------------- | ----------------- | ------------------------- | -------------------------- |
| user | Allow | Read, Write | File Inherit | `default:user::rw-` | `-rw-------` |
| user | Allow | Read, Write, Execute | Directory Inherit | `default:user::rwX` | `drwx------` |
| group | Allow | Read, Write | File Inherit | `default:group::rw-` | `----rw----` |
| group | Allow | Read, Write, Execute | Directory Inherit | `default:group::rwX` | `d---rwx---` |
| other | Allow | Read, Write | File Inherit | `default:other::rw-` | `-------rw-` |
| other | Allow | Read, Write, Execute | Directory Inherit | `default:other::rwX` | `d------rwx` |
```sh
setfacl -dm 'u::rwX' 'path/to/dir'
setfacl -dm 'g::rwX' 'path/to/dir'
setfacl -dm 'o::r-X' 'path/to/dir'
# Or, in one go.
setfacl -dm 'u::rwX,g::rwX,o::rX' 'path/to/dir'
```
### NFSv4
| Who | ACL Type | Permissions | Flags | Translated `getfacl` Tags | Resulting Unix Permissions |
| --------- | -------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------- | ---------------------------------------- | -------------------------- |
@@ -70,8 +113,6 @@ The best way to achieve this would be to set up it's ACLs accordingly:
| everyone@ | Allow | Read Data<br/>Read Named Attributes<br/>Execute<br/>Read Attributes<br/>Read ACL | Directory Inherit | `everyone@:r-x---a-R-c---:-d-----:allow` | `d------r-x` |
```sh
# Set default permissions of '0664' for files and '0775' for directories.
# Includes ACL-type permissions accordingly.
setfacl -m 'owner@:rw-p-daARWcCos:f------:allow' 'path/to/dir'
setfacl -a '1' 'owner@:rwxpDdaARWcCos:-d-----:allow' 'path/to/dir'
setfacl -m 'group@:r--p--aAR-c--s:f------:allow' 'path/to/dir'

17
knowledge base/diy nas/v1.md
View File

@@ -21,12 +21,17 @@
## Software
| Component | Choice | Notes |
| ---------------- | ---------------- | -------------------------------------------------- |
| Operating system | [OpenMediaVault] | With [OMV-Extras](../openmediavault.md#omv-extras) |
| Kernel | Default (Debian) | |
| OS file system | Default (ext4) | |
| Data file system | ZFS | See [ZFS](../openmediavault.md#zfs) |
| Component | Choice | Notes |
| ---------------- | ---------------- | ----------------------------------------------------- |
| Operating system | [OpenMediaVault] | With [OMV-Extras](../openmediavault.md#omv-extras) |
| Kernel | Default (Debian) | |
| OS file system | Default (ext4) | |
| Data file system | ZFS | See [ZFS on OpenMediaVault](../openmediavault.md#zfs) |
ZFS datasets used as shared folders shall have the following properties:
- `aclinherit:restricted`;
- `aclmode:groupmask`;
- `acltype:posix` + `xattr:sa` until `nfsv4` is supported on Linux.
## Further readings

2
knowledge base/openmediavault.md
View File

@@ -171,6 +171,7 @@ Just enable property in the pool or dataset.
- [Proxmox]
- [OMV-Extras]
- [Disks maintenance]
- [ZFS]
## Sources
@@ -198,6 +199,7 @@ All the references in the [further readings] section, plus the following:
[debian]: debian.md
[disks maintenance]: disks%20maintenance.md
[proxmox]: proxmox.md
[zfs]: zfs.md
<!-- Others -->
[hdparm]: https://linux.die.net/man/8/hdparm