From owner-freebsd-questions@FreeBSD.ORG  Thu Feb 21 21:23:37 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D1A2216A400
	for <freebsd-questions@freebsd.org>;
	Thu, 21 Feb 2008 21:23:37 +0000 (UTC) (envelope-from a-bb@gmx.net)
Received: from pd4mo2so.prod.shaw.ca (idcmail-mo1so.shaw.ca [24.71.223.10])
	by mx1.freebsd.org (Postfix) with ESMTP id A652413C46E
	for <freebsd-questions@freebsd.org>;
	Thu, 21 Feb 2008 21:23:37 +0000 (UTC) (envelope-from a-bb@gmx.net)
Received: from pd3mr1so.prod.shaw.ca
	(pd3mr1so-qfe3.prod.shaw.ca [10.0.141.177]) by l-daemon
	(Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15 2004))
	with ESMTP id <0JWL008WUY117C80@l-daemon> for
	freebsd-questions@freebsd.org; Thu, 21 Feb 2008 14:22:13 -0700 (MST)
Received: from pn2ml4so.prod.shaw.ca ([10.0.121.148])
	by pd3mr1so.prod.shaw.ca (Sun Java System Messaging Server 6.2-7.05
	(built Sep
	5 2006)) with ESMTP id <0JWL004HVY11GU70@pd3mr1so.prod.shaw.ca> for
	freebsd-questions@freebsd.org; Thu, 21 Feb 2008 14:22:13 -0700 (MST)
Received: from [192.168.1.102] ([24.108.85.74])
	by l-daemon (Sun ONE Messaging Server 6.0 HotFix 1.01 (built Mar 15
	2004)) with ESMTP id <0JWL00JFPY0XU0P0@l-daemon> for
	freebsd-questions@freebsd.org; Thu, 21 Feb 2008 14:22:13 -0700 (MST)
Date: Thu, 21 Feb 2008 13:22:34 -0800
From: Andrew Bradford <a-bb@gmx.net>
In-reply-to: <200802212131.16581.fbsd.questions@rachie.is-a-geek.net>
To: Mel <fbsd.questions@rachie.is-a-geek.net>
Message-id: <47BDEB9A.80207@gmx.net>
MIME-version: 1.0
Content-type: text/plain; charset=iso-8859-1; format=flowed
Content-transfer-encoding: 8BIT
References: <47BCC9C6.9050501@gmx.net> <47BD3A0B.2030806@locolomo.org>
	<47BDD1D5.6060003@gmx.net>
	<200802212131.16581.fbsd.questions@rachie.is-a-geek.net>
User-Agent: Thunderbird 2.0.0.6 (X11/20071022)
Cc: freebsd-questions@freebsd.org
Subject: Re: Mounting FS read-only for specific user (or root)
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Feb 2008 21:23:37 -0000

Mel escribió:
> On Thursday 21 February 2008 20:32:37 Andrew Bradford wrote:
>   
>> Erik Norgaard escribió:
>>     
>>> I assume the reasoning for this is you want to preserve permissions
>>> and attributes on your backup, so you can't solve this simply by
>>> setting permissions appropriately.
>>>       
>> Yes, exactly.  Users need to be able to see their own backups, and
>> nobody else's.
>>     
>
> Isn't this what acl's are for? See setfacl(8). I haven't looked into it in 
> great detail but seems to me that if you make a subdir owned by the user for 
> each backup root for that user and set the acl to only be accessible by user, 
> it should work.
>   
I can't test it on my system at the moment, but wouldn't acls make the 
files writable for general users?  The backup filesystem needs to be 
mounted read-write for root only, and read-only for general users, yet 
maintain ownership and permissions.

Is it possible to use acls to revoke normal UNIX permissions on a 
directory hierarchy?  I.e. use acls to limit users from writing to the 
read-write backup filesystem.