One Folder, 2 Groups needing different permissions?

[JayG30]

I've not really had an issue setting permissions before but I have a situation I'm not sure how to address.

I have a folder (lets call it SHAREFOLDER).
I have 2 groups of people that need access to the SHAREFOLDER but with different permissions.

• GROUP1 = RWX (contains 2 or more users who create content in this location)
• GROUP2 = RX (contains 2 or more users who have to consume data in this location)

Also, there are other people with user accounts that should not have any rights to this folder, not even to read, which I believe means you can't use the Other permission to accomplish this.
What would I do to accomplish this?

 

[Dusan]

I don't think this is possible with UNIX permissions. You need to use ACLs (Access Control Lists). The two commands to manipulate ACLs are:
setfacl (http://www.freebsd.org/cgi/man.cgi?query=setfacl)
getfacl (http://www.freebsd.org/cgi/man.cgi?query=getfacl)
FreeNAS datasets use the NFSv4 ACLs, so you can ignore the POSIX.1e sections in the documentation.
To accomplish your goal you would do something like:
setfacl -m g:GROUP1:rwxp::allow,g:GROUP2:rx::allow SHAREFOLDER
(The p permission for GROUP1 allows it to create new directories, you can remove it if they will be only creating files.)

 

[JayG30]

Thanks! That's what I was coming up with upon more searching. Although it's nice to know more specifically about how they are used with freenas.

I'm reading the documentation now. A few questions I have, before I do some testing.
Will setfacl overwrite any of the permissions I've already set on files/folders?
When I run getfacl I get outputs like;

Code:

owner@:rwxp--aARWcCos:------:allow
group@:rwxp--a-R-c--s:------:allow
everyone@:r-x---a-R-c--s:------:allow

What is "aARWcCos" for? Are they extended attributes? And is there some good documentation that I can read on it, because I'm coming up pretty empty.

 

[Dusan]

Will setfacl overwrite any of the permissions I've already set on files/folders?

Only if you tell it to.

What is "aARWcCos" for? Are they extended attributes? And is there some good documentation that I can read on it, because I'm coming up pretty empty.

All the documentation you need is here: http://www.freebsd.org/cgi/man.cgi?query=setfacl
Quoting: [PANEL]a read_attributes
A write_attributes
R read_xattr
W write_xattr
c read_acl
C write_acl
o write_owner
s synchronize[/PANEL]
You can find some additional details here: https://wiki.freebsd.org/NFSv4_ACLs (e.g. that some of the attributes are ignored in FreeBSD).
The easiest way to learn ACLs is to experiment. Just create a bunch of folders and files and try things. You can always delete the testing files (or run setfacl -b <file> to remove the additional ACLs and keep only the three "UNIX" ones).

 

[Dusan]

Deleted (strange double post).

 

[dlavigne]

In addition to the resources Dusan mentioned, it can be hard to find a good walk-through. Pages 3-6 of this article still mostly applies and may help to make some things clearer: http://www.onlamp.com/pub/a/bsd/2005/09/22/FreeBSD_Basics.html?page=3.