Is it a good idea to use setfacl for additional group permissions?
by That Random Guy from LinuxQuestions.org on (#543M6)
Hello,
Long story short, I spun up a VM loaded with RHEL and had to install Oracle DBMS on it (for work).
After some nifty tutorials, I wound up with the "application" directory for Oracle and it's component right under / in a folder called u01.
The problem later became that my PM did not want me giving away the oracle account to some outside folk who do not deal with our work on a day-to-day basis. This made sense as the oracle user was used to install the DBMS and is the owner for the entire directory and its subcontents.
For whatever reason, in my head at the time, I came up with the suggestion to just come up with a new group (I blame Microsoft). After some Googling, I discovered I could then give this group explicit access to particular files/folders where this outside/additional person was requesting access for-items which existed inside this oracle directory (u01).
TL;DR:
Fast forward to today, I have been successful in enabling access to the resources this person has been asking for (e.g. log files) by adding them to the new group and then using setfacl to update the ACLs to include necessary permissions for this group on the requested resource. This new group is not the associated group in any of the objects found under the application folder where as otherwise listed from a command like ls -l.
My question is now: is this a bad thing to do? For those who have more experience than I or who have a better understanding of Unix/Linux permissions, have you ever encountered unexpected consequences from doing something like this?
My concern is that I'm probably not following some best practice for access control when it comes to file permissions and the like.
Long story short, I spun up a VM loaded with RHEL and had to install Oracle DBMS on it (for work).
After some nifty tutorials, I wound up with the "application" directory for Oracle and it's component right under / in a folder called u01.
The problem later became that my PM did not want me giving away the oracle account to some outside folk who do not deal with our work on a day-to-day basis. This made sense as the oracle user was used to install the DBMS and is the owner for the entire directory and its subcontents.
For whatever reason, in my head at the time, I came up with the suggestion to just come up with a new group (I blame Microsoft). After some Googling, I discovered I could then give this group explicit access to particular files/folders where this outside/additional person was requesting access for-items which existed inside this oracle directory (u01).
TL;DR:
Fast forward to today, I have been successful in enabling access to the resources this person has been asking for (e.g. log files) by adding them to the new group and then using setfacl to update the ACLs to include necessary permissions for this group on the requested resource. This new group is not the associated group in any of the objects found under the application folder where as otherwise listed from a command like ls -l.
My question is now: is this a bad thing to do? For those who have more experience than I or who have a better understanding of Unix/Linux permissions, have you ever encountered unexpected consequences from doing something like this?
My concern is that I'm probably not following some best practice for access control when it comes to file permissions and the like.