# FreeBSD Permission Question



## mokfarg (Feb 6, 2012)

I have spent the day learning about file permissions. I was unable to locate a solution for what I am wanting to do. I would like to have a group with read access, group with read/write, and others no rights to access the directory. 

I was able to have this configuration below, but that doesn't allow a group of people to have read only access. Is this a limitation of Freebsd or is there another way to do this?


```
Welcome to FreeNAS
[root@freenas] ~# cd /mnt/ada0p2
[root@freenas] /mnt/ada0p2# ls -l
total 17
drwxr-xr-x  5 root  wheel  512 Feb  5 15:27 ./
drwxr-xr-x  4 root  wheel  512 Feb  5 14:54 ../
drwxrwxr-x  2 root  wheel  512 Feb  5 13:10 .snap/
drwxr-x---  2 root  wheel  512 Feb  5 14:15 rpics/
drwxr-x---  2 root  wheel  512 Feb  5 14:14 rvideo/
```


----------



## mokfarg (Feb 6, 2012)

I made a mistake, I meant to write with this configuration there is no group of users that can read/write. My apologies. Is there a way to have two or more groups associated with a file like in Windows?


----------



## phoenix (Feb 6, 2012)

What you want to use are Access Control Lists (ACLs), same as Windows uses:
setfacl(1)
getfacl(1)


----------



## mokfarg (Feb 6, 2012)

Thank you very much, reading manual pages now.


----------



## mokfarg (Feb 7, 2012)

Thanks for directing me to ACLS. I was able to set the correct access rights as shown on file below. 


```
[root@freenas] ~# getfacl /mnt/ada0p2/rvideo
# file: /mnt/ada0p2/rvideo
# owner: root
# group: wheel
user::rwx
group::r-x
group:rdata_rx:r-x
group:rdata_rwx:rwx
mask::rwx
other::r-x
[root@freenas] ~# chmod 750 /mnt/ada0p2/rvideo
[root@freenas] ~# getfacl /mnt/ada0p2/rvideo
# file: /mnt/ada0p2/rvideo
# owner: root
# group: wheel
user::rwx
group::r-x
group:rdata_rx:r-x
group:rdata_rwx:rwx             # effective: r-x
mask::r-x
other::---
[root@freenas] ~# setfacl -m m::rwx /mnt/ada0p2/rvideo
[root@freenas] ~# getfacl /mnt/ada0p2/rvideo
# file: /mnt/ada0p2/rvideo
# owner: root
# group: wheel
user::rwx
group::r-x
group:rdata_rx:r-x
group:rdata_rwx:rwx
mask::rwx
other::---
```

I would also like all sub-directories to inherit the directory rvideo's acl. I attempted command below on the directory without success. Would anyone mind showing me where I went wrong? Thanks!


```
[root@freenas] ~# setfacl -d -m g:rdata_rx:rx /mnt/ada0p2/rvideo
setfacl: /mnt/ada0p2/rvideo: acl_calc_mask() failed: Invalid argument
setfacl: /mnt/ada0p2/rvideo: failed to set ACL mask
```


----------



## mokfarg (Feb 7, 2012)

Never mind, cancel request. I see what I was doing incorrect. I didn't have default values set for owner, group, other. 


```
[root@freenas] ~# setfacl -d -m u::rwx,g::r-x,o::--- /mnt/ada0p2/rvideo
```


----------



## mokfarg (Feb 7, 2012)

I am now trying to access the directory on a Windows 7 PC using NFS. I was able to map to the directory /mnt/ada0p2 and view the listed sub-directory /mnt/ada0p2/rvideo. I am not however able to access the directory. I receive error message "rvideo is not accessible: Access is denied" The parent directory ada0p2 is able to be accessed because others is set to r-x. I would prefer for not all to be able to read the rvideo directory only those groups listed in the ACL. Below I have listed the ACL information. 

I am logged in to the Windows 7 PC with the same username that is in group rdata_rx on the FreeBSD server. Does NFS use the ACLs or only owner, group, other? Would someone lead me in the right direction? Thank you for all the help so far.



```
[root@freenas] /mnt# getfacl ada0p2
# file: ada0p2
# owner: root
# group: wheel
user::rwx
group::r-x
mask::r-x
other::r-x

[root@freenas] /mnt/ada0p2# getfacl rvideo
# file: rvideo
# owner: root
# group: wheel
user::rwx
group::r-x
group:rdata_rx:r-x
group:rdata_rwx:rwx
mask::rwx
other::---
```


----------

