3

I'm trying to set up a git server on my FreeNAS server. The problem I have is with setting up the permissions for different users/groups just as I want.

Basically I have two different groups: git-auth-user which contains all users that should have rwx access to the directory containing all repositories (I should limit x to directories only I'd think, but for now that's a little detail) and git-unauth-user which is basically just the git daemon that should hand out read only access.

I thought that running setfacl -m "g:git-auth-user:rwx:fd:allow" git/ would work to give my git-auth-user all rights, but that doesn't happen.

From searching it seems like the classic permissions still limit the overall permissions ACLs can hand out, does this mean I have to basically give others full rights (so basically chmod 777 dir)? But then I assume everybody that doesn't get their rights limited via ACLs would then have full access as well which is obviously not what I want.

Is there any way around having to set the classic permission rights for other to the most permissive I want to hand out via ACLs or if not, is there an ACL that completely denies access to everybody that doesn't get special access rights?

Edit:

ls -la (so chmod 770 for the directory)

drwxrwx---+ 2 root wheel 2 Jun 22 23:45 git

and 

$ getfacl git/ # file: git/ # owner: root # group: wheel group:git-auth-user:rwx-----------:fd----:allow owner@:rwxp--aARWcCos:------:allow group@:rwxp--a-R-c--s:------:allow everyone@:------a-R-c--s:------:allow

Now when a user of the group git-auth-user tries to generate a new directory inside the git directory I get 

$ mkdir test.git mkdir: test.git: Permission denied

On the other hand if I use chmod -R 777 git it works just fine, but that's obviously a really bad solution because I give everybody complete access to the directory, while my dream solution would be no access for everyone except git-auth-user (i.e. my user git-ro also has write access to the directory, now I could specifically remove all rights for that user per ACLs, but this obviously doesn't scale. I'm sure there must be a better solution to this that I'm overlooking).

Improve this question
3
  • I can't speak for FreeBSD but Linux ACL's are based on the same unratified POSIX standard and they don't function that way. It wouldn't make sense to do it that way either so I'm suspecting something else is happening. You may check to see if something else is going on. There may be an ACL mask setting on the files/directories. Editing the question with the output of an example getfacl would probably be helpful. Commented Jun 21, 2015 at 21:36
  • @Bratchley Put the output of ls -la and getfacl as well as an example of my problem in it, hope that makes the problem clearer Commented Jun 22, 2015 at 21:50
  • 1
    Note that this thing here is NFSv4 ACL; something completely different from POSIX ACLs. Which are supported in FreeBSD as well, but only on UFS. Commented Oct 10, 2015 at 21:14

2 Answers 2

Reset to default
2

ACLs, if present, override the usual chmod bits. Also, NFSv4 ACLs don't have masks.

I believe the problem here is you only set 'rwx', and not 'rwxp'. The 'p' is APPEND_DATA/ADD_SUBDIRECTORY, which is what controls... well, adding subdirectories.

Improve this answer
1

If you use ACLs, the classic group permissions turn into the so called mask, which determines the maximum permissions you can effectively give per setfacl, eg. 

ls -k shows -rw-r--r--+ root root

and you have setfacl -m g:users:rw

because the mask is only read getfacl will show you:

group:users:rw effective r

So set group to rw or rwx by classic chmod and you can give all permissions by setfacl.

PS.

This is Linux ACL handling, afaik Solaris with ZFS is a bit different, I am not entirely sure how BSD with ZFS handles that.

Try it and post your findings here.

Improve this answer
1
  • Thanks, I added some output to make my problem clearer. My problem seems to be that the mask is not computed by the group field but by whatever field would apply to the given user in classic permissions, which means I have to use the other permissions. And if I use chmod 777 I give everybody complete access to the folder and can then limit it down with ACLs - exactly the opposite of what I want (I want nobody to have rights to begin with and then add them with ACLs). Commented Jun 22, 2015 at 21:52

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.