Monday, November 03, 2008

Extended Filesystem ACLs

Our ZCM10 servers have a directory which holds the desktop images. We want our desktop guys to be able to upload to this directory, but without knowing the root password. Extended filesystem ACLs came to mind, and this is how we set it up.

Linux_Admins is a LUM-enabled eDirectory group that the desktop guys are all in.

Also, make sure your partition is mounted with acl support, otherwise this won't work :)


setfacl -R -m g:Linux_Admins:rwx /var/opt/novell/zenworks/content-repo/images


user@host:/var/opt/novell/zenworks/content-repo> ls -l
total 20
drwxrwxr-x 235 zenworks zenworks 4096 2008-10-28 19:47 content
drwxrwxr-x+ 4 zenworks zenworks 4096 2008-10-30 14:09 images
drwxrwxr-x 5 zenworks zenworks 4096 2008-10-21 23:53 system-update
drwxrwxr-x 4 zenworks zenworks 4096 2008-10-29 08:48 tmp

Notice the little plus sign on the images directory permissions? That indicates extended attributes are in place.

user@host:/var/opt/novell/zenworks/content-repo> getfacl images/
# file: images
# owner: zenworks
# group: zenworks
user::rwx
group::r-x
group:Linux_Admins:rwx
mask::rwx
other::r-x

There ya go! In addition to the zenworks group having permissions, the Linux_Admins group now has rwx permission to the images directory.

No comments: