Linux file descriptors and open modes

Ever want to find out what modes a file was opened with originally ?

First find the file descriptor number

ls /proc//fd
Eg
ls -l /proc/32048/fd/30
l-wx------ 1 apache apache 64 Jan 18 07:15 30 -> /var/log/httpd/ntop-access_log

Then check fdinfo

cat /proc/32048/fdinfo/30
pos: 0
flags: 0102001

The flags are derived from the open system call http://linux.about.com/od/commands/l/blcmdl2_open.htm

To actually decipher the octal codes , look under /usr/include/bits/fcntl.h

If there are multiple codes, the codes are appended together.

Linux ACLs

Filesystem options and commands

First check to make sure the file system is mounted with acl settings

cat /proc/mounts |grep acl

/dev/sda1 / ext3 rw,noatime,relatime,errors=remount-ro,acl,data=ordered 0 0

If not update /etc/fstab and add 'acl' to the options section and remount the file system

getfacl, setfacl, chacl are the two main commands. chacl is available for IRIX compatibility.

Use Cases

Grant 2 users permissions to the same directory and files under it

Let's say we want to grant user john and mary permissions to folder /var/www/mysite.com

We can start by creating the directory. At this point we can leave it owned by root as the ACLs will help here.

ls -ld /var/www/mysite.com/
drwxr-xr-x 2 root root 4096 Feb 11 15:21 /var/www/mysite.com/

The first 2 commands grant users john and mary permissions.

The second sets the default acl. This causes the acls to be applied with inhertiance set. So this makes good sense in a multi user multi edit environment. The next arguments between the : are the username and the permissions

setfacl -m john:rwx mysite.com 
setfacl -m mary:rwx mysite.com 

setfacl -m default:john:rwx mysite.com 
setfacl -m default:mary:rwx mysite.com

# file: mysite.com
# owner: root
# group: root
user::rwx
user:john:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:user:mary:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

Now create a file by logging in a user john.

john@slice01$ echo "john" > file1

john@slice01$ ls -l file1 
-rw-rw-r--+ 1 john john 4 Feb 11 15:31 file1

john@slice01$ getfacl file1 
# file: file1
# owner: john
# group: john
user::rw-
user:john:rwx   #effective:rw-
user:mary:rwx   #effective:rw-
group::r-x   #effective:r--
mask::rw-
other::r--

Then create a directory

john@slice01$ mkdir john

john@slice01$ getfacl john
# file: john
# owner: john
# group: john
user::rwx
user:john:rwx
user:mary:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:user:mary:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

As you can see mary is there in the ACLs also

You can test it by logging in as user mary & editing files created by john.

mary@slice01$ echo mary >> file1 

mary@slice01$ cat file1 
john
mary

mary@slice01$ cd john/

mary@slice01 $ echo mary > file2
mary@slice01 $ getfacl file2 
# file: file2
# owner: mary
# group: mary
user::rw-
user:john:rwx   #effective:rw-
user:mary:rwx   #effective:rw-
group::r-x   #effective:r--
mask::rw-
other::r--

Grant 2 users permissions to the same directory and files under it except to 2 individual directories

Lets say we want john and mary to have permissions under /var/www/mysite.com/ and all files but still have individual directories
/var/www/mysite.com/john & /var/www/mysite.com/mary

 getfacl mary
# file: mary
# owner: mary
# group: mary
user::rwx
user:john:rwx
user:mary:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:john:rwx
default:user:mary:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

The -k switch removes the default acls

setfacl -k mary

getfacl mary
# file: mary
# owner: mary
# group: mary
user::rwx
user:john:rwx
user:mary:rwx
group::r-x
mask::rwx
other::r-x

Then remove john from it also

setfacl -x john mary

getfacl mary
# file: mary
# owner: mary
# group: mary
user::rwx
user:mary:rwx
group::r-x
mask::rwx
other::r-x

Repeat the same with other folder