How to get a user's effective permissions (traditional+acl) for a file/dir?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












I've looked at other answers but can't find an answer for this.



I have a file system which uses ACLs. I want to test what the resulting set of permissions (both traditional and ACLs) will be for a given user (or group, I guess) if they try to access a file nested within the file tree.



(Note - I'm not asking "can they access it" or "can they change it". I'm looking for output which tells me the complete human readable set of effective rights that that user would have, which could vary from none at all, to some rights but not others, to full rights.)



man getfacl doesn't say how to do this, but it's so basic I must be missing something.







share|improve this question




















  • getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
    – Stephen Harris
    Feb 18 at 0:45










  • That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
    – Stilez
    Feb 18 at 7:24















up vote
0
down vote

favorite












I've looked at other answers but can't find an answer for this.



I have a file system which uses ACLs. I want to test what the resulting set of permissions (both traditional and ACLs) will be for a given user (or group, I guess) if they try to access a file nested within the file tree.



(Note - I'm not asking "can they access it" or "can they change it". I'm looking for output which tells me the complete human readable set of effective rights that that user would have, which could vary from none at all, to some rights but not others, to full rights.)



man getfacl doesn't say how to do this, but it's so basic I must be missing something.







share|improve this question




















  • getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
    – Stephen Harris
    Feb 18 at 0:45










  • That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
    – Stilez
    Feb 18 at 7:24













up vote
0
down vote

favorite









up vote
0
down vote

favorite











I've looked at other answers but can't find an answer for this.



I have a file system which uses ACLs. I want to test what the resulting set of permissions (both traditional and ACLs) will be for a given user (or group, I guess) if they try to access a file nested within the file tree.



(Note - I'm not asking "can they access it" or "can they change it". I'm looking for output which tells me the complete human readable set of effective rights that that user would have, which could vary from none at all, to some rights but not others, to full rights.)



man getfacl doesn't say how to do this, but it's so basic I must be missing something.







share|improve this question












I've looked at other answers but can't find an answer for this.



I have a file system which uses ACLs. I want to test what the resulting set of permissions (both traditional and ACLs) will be for a given user (or group, I guess) if they try to access a file nested within the file tree.



(Note - I'm not asking "can they access it" or "can they change it". I'm looking for output which tells me the complete human readable set of effective rights that that user would have, which could vary from none at all, to some rights but not others, to full rights.)



man getfacl doesn't say how to do this, but it's so basic I must be missing something.









share|improve this question











share|improve this question




share|improve this question










asked Feb 17 at 23:37









Stilez

431211




431211











  • getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
    – Stephen Harris
    Feb 18 at 0:45










  • That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
    – Stilez
    Feb 18 at 7:24

















  • getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
    – Stephen Harris
    Feb 18 at 0:45










  • That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
    – Stilez
    Feb 18 at 7:24
















getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
– Stephen Harris
Feb 18 at 0:45




getfacl takes into account the standard unix permissions (indeed setfacl will update them as necessary). But it's not the whole story, because the permissions on the directory path may impact things. If you want to know if a given user can access a file then a setuid program that sets uid to the user you want to test and then calls access(2) may be the way to go.
– Stephen Harris
Feb 18 at 0:45












That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
– Stilez
Feb 18 at 7:24





That's exactly what prompted the question. I know that I can setuid to the user and test some flags - and it's inefficient (have to switch user to do it), incomplete (less easy to identify some ACLs if others are DENYed), and even if one can read all relevant ACLs in its dir path (hence is allowed to calculate the user's effective ACLs "the long way around") you might not have the ability to setuid to the user. Final nail in coffin: access doesnt seem to return ACLs anyway. I appreciate the comment but it doesn't seem to get closer to an answer..
– Stilez
Feb 18 at 7:24
















active

oldest

votes











Your Answer







StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
convertImagesToLinks: false,
noModals: false,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);








 

draft saved


draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f424879%2fhow-to-get-a-users-effective-permissions-traditionalacl-for-a-file-dir%23new-answer', 'question_page');

);

Post as a guest



































active

oldest

votes













active

oldest

votes









active

oldest

votes






active

oldest

votes










 

draft saved


draft discarded


























 


draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f424879%2fhow-to-get-a-users-effective-permissions-traditionalacl-for-a-file-dir%23new-answer', 'question_page');

);

Post as a guest













































































Popular posts from this blog

How to check contact read email or not when send email to Individual?

Displaying single band from multi-band raster using QGIS

How many registers does an x86_64 CPU actually have?