Complex Linux user permissions

root@prod> ls /homejoe/  mary/  bob/  spaceball/
drwx------. 3 mary  mary   88 Jul 12 10:15 mary/
root@prod> groups mary
mary: mary employees
1)
# add "employees" as default group for all files and dirs,
# -R recursive (drill down to subfolders)
# -h also update symlinks
chgrp -Rh employees /home/spaceball2)
# configure ACL to enforce proper permissions
# give Spaceball user RWX
# give group "employees" read only, plus execute bit on directories so they can 'ls' on directories
# remove all access for Others
setfacl -d -Rm u::rwX,g::rX,o::- /home/spaceball3)
# set a SUID bit for "employees" group, this is for permission inheritance
chmod -R g+s /home/spaceball
chmod -R g-w /home/employees (remove any existing RW for group)
4) add Joe and Bob's public SSH keys to Spaceball's authorized_keys filevi /home/spaceball/.ssh/authorized_keys
add keys here
ls -la /home/spaceball
-rw-r-----. 1 spaceball employees 0 Jul 12 14:28 file1
drwxr-s---+ 2 spaceball employees 6 Jul 12 14:29 dir1
getfacl dir1# file: dir1
# owner: spaceball
# group: employees
# flags: -s-
user::rwx
group::r-x
other::---
default:user::rwx
default:group::r-x
default:other::---
joe@desktop> ssh spaceball@prodspaceball@prod> ls -la
-rw-r-----. 1 spaceball employees 0 Jul 12 14:28 file1
drwxr-s---+ 2 spaceball employees 6 Jul 12 14:29 dir1
root@prod> setfacl -Rm u:kevin:rwx /home/spaceball
root@prod> chmod 750 /home/spaceball
joe@desktop> ssh spaceball@prod  (OK)kevin@desktop> ssh kevin@prod
kevin@prod> touch /home/spaceball/subdir/testfile
root@prod> getfacl -R /home/spaceball > /tmp/acl_backup.txt
root@prod> setfacl --restore=/tmp/acl_backup.txt

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store