I'm using ACL to control access to individual roots of webs for different instances of Apache and different groups of admins. I've got a Unix group admins-web22 for admins of a particular website and user apache-web22 for a particular instance of apache. These are the permissions set on the root directory of the web:
# file: web22
# owner: root
# group: root
user::rwx
user:apache-web22:r-x
group::rwx
group:webmaster:rwx
group:admins-web22:rwx
mask::rwx
other::---
default:user::rwx
default:user:apache-web22:r-x
default:group::rwx
default:group:admins-web22:rwx
default:mask::rwx
default:other::r-x
There is a user fred which is a member of admins-web22. This user has full read-write access to the directory (as stated above). This works correctly. However, this user is unable to grant write permissions to user apache-web22 for some files and directories, which is important (e.g., the web admin wants to set an upload directory for Drupal). The setfacl command gives "Operation not permitted.".
My question is, who can grant privileges using setfacl, and how can I let users of group admins-web22 change permissions (for apache-web22) themselves?
I'm running Debian Wheezy and it's an ext4 partition if it's important.
Best Answer
The
setfaclmanual page explains who can grant privileges:So
fredcan only usesetfaclon files he owns. Depending on your exact security requirements, you may be able to allow members ofadmins-web22to runsetfaclasapache-web22(usingsudo), which would allow them to change the ACLs on files owned byapache-web22....