What you request is not supported by Linux's ACLs.
setfacl -m u:jim:r-X
(capital X
) gives Jim permission to read all files including directories, and to execute only directories and files that are executable by their owner.
Making directories non-readable has very limited usefulness. If you tell us what you're trying to accomplish, we might be able to offer a better solution.
Yes, all files under /usr
should be owned by root, except that files under /usr/local
may or may not be owned by root depending on site policies. It's normal for root to own files that only a system administrator is supposed to modify.
There are a few files that absolutely need to be owned by root or else your system won't work properly. These are setuid root executables, which run as root no matter who invoked them. Common setuid root binaries include su
and sudo
(programs to run another program as a different user, after authentication), sudoedit
(a companion to sudo
to edit files rather than run an arbitrary programs), and programs to modify user accounts (passwd
, chsh
, chfn
).
In addition, a number of programs need to run with additional group privileges, and need to be owned by the appropriate group (and by the root user) and have the setgid bit set.
You can, and should, restore proper permissions from the package database. If you attempt to repair manually, you're bound to miss something and leave some hard-to-diagnose bugs lying around. Run the following commands:
rpm -qa | xargs rpm --setugids --setperms
Best Answer
Similar to one of the answers above, if you have a copy of the directory with the correct permissions named "var" in your local directory, you can use the following two commands to restore permissions to the /var directory.