ACLs Masks + Group Permissions
I don't get this...
I applied setfacl -d -m mask:002 /home/http/pyther.net
pyther.net
# file: ../pyther.net/
# owner: pyther
# group: http
user::rwx
group::rwx
other::r-x
default:user::rwx
default:group::rwx #effective:-w-
default:mask::-w-
default:other::r-x
drwxrwxr-x+ 16 pyther http 4096 2009-11-08 00:19 .
Create File
[pyther@mongo pyther.net]$ touch abc.txt
Permission of File
[pyther@mongo pyther.net]$ getfacl abc.txt
# file: abc.txt
# owner: pyther
# group: users
user::rw-
group::rwx #effective:-w-
mask::-w-
other::r--
-rw--w-r--+ 1 pyther users 0 2009-11-08 00:19 abc.txt
Why does getfacl show that the file has group permissions of 777?
I want the group to be able to read + write, but not execute the file. As far as I can tell the file isn't really executable.
Last edited by pyther (2009-11-08 05:24:32)
The group permission is 777 because the directory has default:group::rwx. Effectively there are no read and execute rights because of the mask.
Set the default mask and default group to rwx and try again.
Similar Messages
-
An issue has cropped up where whenever a user creates a file they are the owner with read/write permissions, but the group permissions are set to read only. I have checked the group permissions are being assigned in ACL, and it is set to read and write.
Please let me know if there is any other information needed to help me solve this and I will see if I can get it.
thnx.I repaired all the permissions on the user account directories and this fixed my issues with share folder permissions for some reason.
Here is a script that will do it all in one go. Change /Volumes/XXXX/Users/ to where you users directory is. chmod the script to 755 and run with sudo and it will fix the user directory permissions for all accounts.
#!/bin/sh
# This shell script needs to be run as super-user
for i in /Volumes/XXXX/Users/*
do
u=`echo $i | cut -d/ -f5`
case $u in
Shared)
Temporary)
/usr/sbin/chown -R $u:staff $i
/bin/chmod -R 700 $i
esac
done
for i in /Volumes/XXXX/Users/*
do
u=`echo $i | cut -d/ -f5`
case $u in
Shared)
Temporary)
/usr/sbin/chown $u:staff $i
/bin/chmod 755 $i
esac
done
/usr/sbin/chown -R 'root':wheel '/Users/Shared'
/bin/chmod -R 777 '/Users/Shared'
for i in /Volumes/XXXX/Users/*
do
u=`echo $i | cut -d/ -f5`
case $u in
Shared)
Temporary)
/usr/sbin/chown -R $u:staff $i/Public
/bin/chmod -R 755 $i/Public
esac
done
for i in /Volumes/XXXX/Users/*
do
u=`echo $i | cut -d/ -f5`
case $u in
Shared)
Temporary)
/usr/sbin/chown -R $u:staff $i/Public/Drop\ Box
/bin/chmod -R 733 $i/Public/Drop\ Box
esac
done
for i in /Volumes/XXXX/Users/*
do
u=`echo $i | cut -d/ -f5`
case $u in
Shared)
Temporary)
/usr/sbin/chown -R $u:staff $i/Sites
/bin/chmod -R 755 $i/Sites
esac
done
exit 0 -
NFS export group permissions failing to be applied
I have several NFS shares, mounted on RHEL/Centos 4.5 clients. Only posix permissions are used, no acl. The RHEL client authenticates users through opendirectory on the server.
jim and bob belong to the same group, staff
There are two files on the nfs mount, one belongs to jim, one to bob.
Both files have rw group permissions, and belong to group staff.
On the server, or logged into the server via ssh, jim can edit and save bobs file, since he has write permission for the group.
However on the nfs mount, jim is not given permission to write to bob's file. Jim can delete bob's file though.
Similarly, bob cannot edit jim's file, though he is in the same group.
The group and user names are identical across systems, as are the group and user ids, which is to be expected as they served from the same directory.
This problem has been affecting us for quite a while - from the original clean install of 10.4 and through to the current 10.5.6 server
The issue has already been raised (and archived) at
http://discussions.apple.com/thread.jspa?threadID=1442054&tstart=570
with no useful result.Hi frndsss, Seems like we have an enemy in common.. well will keep this space updated if we come across any solutions... thanks..,
Ricky.
Edited by: user781890 on Aug 25, 2008 10:06 PM -
Sharepoint 2013 setup group permissions
In my SharePoint 2013 test sharepoint site, I would like to know how the users should normally have access to the test sharepoint site. Would the user sign as themselves individually or would they sign on with a group id? Can you tell me and/or point me
to a url that will show how to setup group permissions and how the users should login?There are two suggested ways to assign permissions on SharePoint sites:
Using SharePoint Groups
Using Active Directory Groups
Note: A site can be set up to either inherit permissions from the parent site, or to allow unique permissions to be set for the site. If the site is set up to inherit permissions from the parent site, you will have to Add Users or Active Directory Groups
to pre-existing SharePoint groups in the parent site.
Using SharePoint groups:
Click on “People and Groups”
Click on “New” from the drop-down menu
Select “New Group” Under “Choose the permission level group members get on this site:… ”
Select “Contribute” and click OK.
Click on “People and Groups”
Click “New”, from the drop-down menu
select “Add Users” Type in the netID(s) you wish to add
Click on “Check Names” (the netID(s) should now be underlined)
Under “Give permission”, select the group you just created and click OK.
Note: If site owners want their site to show up automatically in users' "My Links" in "My Site" then those users must be part of a SharePoint group and that group must be defined as the "Members of this Site" group.
Using Active Directory Groups:
Click on “Peoples and Groups”
Click on “New” from the drop-down menu
select “Add Users” Type in the name of the Active Directory group you wish to add
Click on Check Names (the group name should now be underlined)
Under Give Users permissions directly, select “Contribute” &click ok.
Note: You can specify multiple netID(s) or AD groups by separating the names with a semi-colon(;).
Below are list of permissions you can use for the site..
Permission Level
Description
Full Control
This permission level contains all permissions. Assigned to the
Site name Owners SharePoint group, by default. This permission level cannot be customized or deleted.
Design
Can create lists and document libraries, edit pages and apply themes, borders, and style sheets in the Web site. Not assigned to any SharePoint group, by default.
Contribute
Can add, edit, and delete items in existing lists and document libraries. Assigned to the
Site name Members SharePoint group, by default.
Read
Read-only access to the Web site. Users and SharePoint groups with this permission level can view items and pages, open items, and documents. Assigned to the
Site name Visitors SharePoint group, by default.
Limited Access
The Limited Access permission level is designed to be combined with fine-grained permissions to give users access to a specific list, document library, item, or document,
without giving them access to the entire site. However, to access a list or library, for example, a user must have permission to open the parent Web site and read shared data such
as the theme and navigation bars of the Web site. The Limited Access permission level cannot be customized or deleted.
NOTE You cannot assign this permission level to users or SharePoint groups. Instead, Windows SharePoint Services 3.0 automatically assigns this permission level to users and SharePoint
groups when you grant them access to an object on your site that requires that they have access to a higher level object on which they do not have permissions. For example, if you grant
users access to an item in a list and they do not have access to the list itself, Windows SharePoint Services 3.0 automatically grants them Limited Access on the list, and also the site, if needed. -
Need info about group permissions
Hi All,
I'm confused with OIM group permissions for the following scenario.
Consider three groups G1,G2,G3 with the following permissions to a particular resource object RO.
G1 - Has all permission in all places for this RO(resource object,process form,process definition,etc)
G2 - Has only read permissions in all places for this RO.
G3 - Doesn't have any permission with respect to this RO.
And also "Provision by Object Admin Only" is selected for this RO and G1 is an object administartor.
Now I got the follwing result when I try to provision this resource object.
case 1:The actor(logged in user) is a member of G1 & G2 ------- Got this error "DOBJ.INSERT_PERMISSION_DENIED.You do not have permission to insert this object " and the provisioning operation is failed.
case 2:The actor is a member of G1 & G3 ----- Able to provision this resource object.
Now my question is, in case1 if OIM is denying the operation as G2 doesn't have insert or write permission then how come it is allowing the opertion in case 2 where G3 doesn't have any permission ?
Is this an expected behaviour or am I missing something ?
How OIM is handling the permissions for this operation ?
Thanks in advance.
Regards,
NSI have the same problem here.. the issue we have is that some users have groups that give permissions, other group that are used by access policies and others for menu visibility. The last two aren't for permissions purposes but they impact on the effective rights of the users, because for example, when users try to revoke resource, OIM says that they don't have permissions. Do you figure a workaround to solve this problem?
-
Group Permissions using External Table
I have a problem with using an external table for user group permissions.
I am using OBI authentication but need to use an external table to manage the user’s group permissions. I created two RPD groups, GROUP1 and GROUP2. GROUP1 has access to TABLE1. GROUP2 has access to TABLE2. I created the initialization block with the following SQL:
Select ‘GROUP’, groupname from groups_tab where username = ‘:USER’
I also turned on row-wise initialization.
I created a user, USER1, with access to both RPD groups. I also created corresponding Catalog Group (Settings Administration Manage Presentation Catalog Groups and Users Create a new Catalog Group). I have two dashboard pages PAGE1 and PAGE2. GROUP1 has access to PAGE1 and GROUP2 has access to PAGE2. When I log in as USER1, I have a quick test on the My Dashboard page that displays the GROUP session variable (@{biServer.variables[‘NQ_SESSION.GROUP’]}). The variable displays that USER1 belongs to GROUP1; GROUP2. I still cannot see the dashboard pages PAGE1 and PAGE2. When I go to Answers I cannot see TABLE1 or TABLE2.
Obviously, I must be missing a step somewhere. Any ideas?
I have tried the Rittman Mead post (http://www.rittmanmead.com/2007/05/21/using-initialization-blocks-with-ldap-and-database-queries-to-control-authentication-and-authorization/) and I am still not getting the right results.
Edited by: Canz on Feb 25, 2009 4:39 PMIt's likely to be a permissioning setup issue rather than your Init Block setup which seems to be working. Start by granting your test user full permissions on the object you want and then start removing them gradually to see where you don't see the dashboard any more. I think you might be missing a Traverse privilege in your dashboard shared folders but I can't check all the possible conditions with seeing your web catalog. Also check the case of your Web Catalog groups and the ones you populate on the Init block.
-
OSR11g - Setting Group Permissions on a Business
I tried setting permissions on a particular business for a group, setting all 5 (Find,Get,Save,Delete, Create) to "Allow" for the group within the OSR Control.
However, after the permissions were set, the business was no longer visible within OSB 11g's "Import from Uddi". The user configured within the OSB UDDI registry is a member of the same group within OSR.
If I remove the group permissions from the business, the business returns to being visible within OSB.
So what's the missing step?The same problem also occurs in an even simpler scenario:
If I apply "FIND ALLOWED" permissions to the "admin" user on a particular business within OSR 11g, that business is no longer visible to my OSB 11g dashboard for either the "Publish to UDDI" or "Import from UDDI" actions.
So I've given this to Oracle Support to digest. -
UME actions and Group permissions
Hi there ,
New to portal and NWDI . How do you see what a UME action contains.
i.e. MANAGE_ALL . Do you need java skills or visual administrator to view.
Also, using NWDI.Administrators group , the group itself gives permissions
outsided of just having the NWDI.Administrator role. Where/How are the group
permissions defined ? Thank You
Dan.Dan,
This is a good place to start: [Authorization Concept of the AS Java|http://help.sap.com/saphelp_nw04s/helpdata/en/44/7fdf2470a412d2e10000000a422035/frameset.htm]. The two roles are different. Security roles are part of the J2EE Standard. UME roles are collections of UME actions. The UME interface cannot show the J2EE roles.
Now as to the role that lets you look at system info, you are correct. As your test showed, this is not included in Manage.All. I just tried that myself. If you look in the visual admin, you see there is a security role called administrators assigned to the group Administrators. Now when the developers create a J2EE application they specify the name of the role that the user must have in order to access it. Often they use the name administrators. When the applications are deployed to the server, the AS Java consolidates all these roles into a single role with the same name, administrators, by role references. This is assigned to the Administrators group by default. This is done to make the life of the developer and the deployer easier. So System Info needs this role. Well, there are two keystore roles assigned by default as well, but I doubt these are the roles System Info is looking for. In SAP NetWeaver 7.1 you have more granular control. But that is another question.
I hope that helps.
-Michael -
Copying files from Windows rips out group permissions
Hi there all,
Having some problems with group permissions being removed from files when data is copied from a Windows OS.
We currently have a network of Macs that are tied to a AD/OD structure.
We have also set a custom umask for each mac defining 002 as the permissions to be written to files.
However, when we connect to a Windows file share using the smb:// protocol and copy files/folders across to the Mac environment the umask permissions are not written correctly.
The User is given full control and the Everyone group is denied access. However, no group permissions are written at all.
We have tried altering the smb.conf file to no effect.
Could anybody shed some light on this annoying problem?
Many thanksYou have to install this version of samba as Apple have made a complete hash of implementing their own... Another massive fail from the worlds favourite consumer electrics company... Listen to the pro users leaving in droves...
http://eduo.info/apps/smbup -
How to do group permissions in cyradm?
Generic cyradm documentation seems to say that you can set permissions on a per-group basis.
I'd really like to do this (on Panther server) - we have a lot of shared mailboxes, and it is a real pain explicitly adding new users to each and every mailbox every time we get a new user.
But I just can't get group permissions to work. Has anyone successfully done this on Panther Server?
ThanksHere is one way:
select UPPER(name) from xtable group by UPPER(name)
having count(UPPER(name))>1
Kalman Toth Database & OLAP Architect
SELECT Video Tutorials 4 Hours
New Book / Kindle: Exam 70-461 Bootcamp: Querying Microsoft SQL Server 2012 -
[OIM] Group Permissions
Dear people,
I would like to know if anyone has knowledge of how group permissions are resolved when they have conflicts. For example, if I have GroupA with all permissions (like system administrators) and GroupB with no permissions (it could be a group made for access policies purposes), how this would be resolved?
I have a concrete situation here, with something like described where OIM don't let some users to do things, like revoke resources. I tried with the order of assignation of the groups, but problem persists.
Thanks!I have never specifically seen this but you learn something new every day.
Something I have seen is that sometimes the OIM logic doesn't take into account members of groups that are members of groups. So if I am a member of group a and group a is a member of group b then I may not get the permissions that are assigned to group b.
Best regards
/Martin -
[OIM] Group Permissions Conflict
People,
I created a new resource with an approval process. I configured ALL_USERS group permissions allowing only Insert permission on the Object Form, but without the Update and Delete permissions, so everybody can generate the request and fill the form for the first time, but not modify it. This is working fine.
Then, I created another group, called OIM_ADMINISTRATORS, that have ALL permissions on the same Object Form (Insert, Delete, Write). The problem is that when a user that belongs to OIM_ADMINISTRATORS tries to modify the Object Form, I have a message that says I have no permissions to Update it.
So I figure that the permissions from ALL_USERS are winning over the ones of OIM_ADMINISTRATORS. Is there a way to manage the priority of the permissions, so ALL_USERS can only create the Object Form but users under OIM_ADMINISTRATORS can ALSO modify it?
Thanks in advance.Hi,
Both tabs server the differnet purpose in form.
Its good your requriement solved by this, but its not general solution.
As per my understanding, Group in Administrative tab have the full acess over the current record of the form while Object Permission tab define the access over the form.
Now, you are able to insert the record from ALLUser group right??
Just try to update/delete the same??
Please let me know the result....
Regards
Alabhya Goel -
SMB ACLs and Groups not working properly?
I wanted to sum up the issues we are facing since Monday morning, when we rolled the new network share:
We have an xserve G5 running 10.4.8 OS X Server. The users are all created in OD, which is a main domain controler, and the SMB shares are configured as a standalone server.
The issue is that users alternatively can and can't access the share files, and it seems like :
- Group permissions don't work
- Read-only permissions end up as "no access at all"
Plus, the connection gets somitimes very slow, without any reason.
Apple's documentation speaks for itself as the lack of any detail and information is very very annoying.
Is anyone facing the same issues?
Are this known issues? If yes are they any workaround?
Sometimes I feel like I am going to loose my faith...
Thanks for any help,
PejvanI am replying to myself here to say that since we had paid for the the Apple Care Premium, I decided to give them a try and called them. I was greatly surprised to see that they have very capable people who solved most of our issues right away, and will be working on solving the remaining ones as well.
Chapeau !
Pejvan
PS: The only complain I would make is that they seem to have a great database of all the known issues, and the different things you can do to solve them. Why they won't make this tool publicly available (or at least some part of it) is a mistery to me. -
ACL group permissions not propagating
I have a group of designers that are connected to X Server running Snow Leopard.
I have placed them in a group, "MarComm"
I have granted everyone full read/write access. ( I can trust them all)
I have tried to propagate these permissions..I saved the changes and restarted server.
For some reason there are 2 sets of permissions.
1) full access (desired configuration)
2) "custom" access
This "custom" access does erratic things..for ex:
Allows the designer to pull off a job folder containing 12 items. He has permission to use 8 items, but not the remaining 4.
Perhaps I need a step by step tutorial on how to create a proper "group" and to propagate permissions. I understand that the ACL should take precedence over the POSIX. I am not well-versed in using the terminal, but I am a careful person, and willing to try it.
Thank you in advanceSetting up groups in WGM is pretty fool proof. What I would try first is to remove all of the ACL's for the folder in question first.
Ensure that all of the files and folders within your folder have ACL's that can be removed. If not, then you'll have to clear the ACL's on each, one at a time.
The command to clear the ACL's from a folder and it's subfile and folders looks like this:
sudo chmod -R -N /path/to/folder
If you want to just remove an ACL from one file or folder, remove the -R from the command.
To write an ACL and have it apply to all folders within looks like this: (two commands, one to add read and one to add write permissions)
sudo chmod -R +a "groupname allow read" /path/to/file/
sudo chmod -R +a "groupname allow write" /path/to/file/
HTH!
-Graham -
Group Permissions Not Being Respected
After upgrading our file server to 10.4.8, group write permissions (POSIX, not ACLs) are not being respected for users connecting via SMB. If Group X owns a folder, and has Read and Write permissions on that folder, User A can log in via SFTP and modify that file. However, User A can not log in via SMB and modify that same file. When looking at the "Effective Permissions Browser" in WGM, it will correctly show the user and group ownership of a file, but state that User A does not have permissions to modify that file (in spite of User A being in Group X).
Has anyone seen anything like this? Or does anyone have any suggestions? We can't try switching to ACLs to resolve the issue because the files being shared are mounted from a remote NFS server (ACLs are only supported on HFS+ volumes).
Thanks.
Xserve G5 Mac OS X (10.4.8)like so:
drwxrwsr-x 6 jwalcik laitssta 4096 Oct 9 23:13 test
where the folder belongs to the user "jwalcik" and to the group "laitstaff". both are shown as having read, write, and execute status, and the setguid bit is set for the group. other users have read and execute privileges.
Xserve G5
Maybe you are looking for
-
Memory upgrade for Lenovo 3000 V200 - only 2Gb seen :(
I bought 2 Transcend DDR2 800 SO-DIMM modules 2Gb each to upgrade memory on Lenovo 3000 V200 notebook. When I installed them, BIOS (and Windows) sees only 2Gb instead of 4Gb (i use x64 OS so no prob with OS here). When I install one of new modules an
-
Unable to clear sub-ledger items on uploading electronic bank statement
Hi All, The client is in Belgium & uses format BE for bank statements. in postprocessing of EBS (FEBA), there are a few items with a posting rule 0002 (for Eg) that need to be posted manually. The posting rule is as below: 0002 1 40 BE INTERIM
-
HP Split 13t-g100 CTO x2 PC not seeing 750g hard drive in base unit
i have the HP Split 13t-g100 CTO x2 PC after updating to windows 8.1 it does not see the secondary hard drive in the base unit. i have checked the device manger and it does not show any unrecognized hard ware. i upgraded the bios and nothing changed
-
TextImage shows links with chainlink image. Why?
The TextImage component shows my links with chainlink image. Why? Even in preview mode, it shows the chainlink image and the links are not clickable. See the bottom-right of the attached image. How can I fix the links?
-
Upgrade from 10.2.0.2 to 10.2.0.4 failed
The OMS upgrade from 10.2.0.2 to 10.2.0.4 fails at the repository upgrade with the following error message. SEVERE: oracle.sysman.top.oms:CfwException in Run OS Command:Command: /opt/oracle/OEM/oms10g/sysman/admin/emdrep/bin/RepManager -connect (DESC