On Sun, 13 Jan 2013 18:34:27 +0100 Christian Rößner cr@sys4.de wrote:
Am 13.01.2013 um 18:13 schrieb Christian Rößner cr@sys4.de:
6537 1020 open("/etc/ssl/private/mx0.roessner-net.de.key.pem", O_RDONLY) = -1 EACCES (Permission denied)
I had messed up ACLs for this file. After creating private and key again with correct setfacl command, everything works as expected. Sorry for the noice, but this was really hard to find out.
Wrong:
getfacl private/ # file: private # owner: root # group: ssl-cert # flags: -s- user::rwx user:amavis:r-x group::--- mask::r-x other::---
Right:
getfacl private/ # file: private/ # owner: root # group: ssl-cert user::rwx user:amavis:r-x group::r-x mask::r-x other::---
So as you can see the group settings got lost…
Thanks
Slightly off-topic from my side, but wanted to mention it since I've worked with POSIX ACLs a bit.
Personally, I've had very bad experiences with POSIX ACLs. They can act in quite an unintuitive way when you start combining them with different umask's, originating directory/file permissions (in case of copying), sticky bits, and chmod's on files/directories where you've already set-up the permissions (not to mention that some stuff seems to outright ignore it, like mod_php5/php).
Unfortunately, due to a couple of very bad design decisions, the POSIX ACL (at least for me) turned out to be quite unusable in most cases (like sharing files via Samba, even though Samba itself had enough problems of its own). I've also attempted using it at some point for some LAMP apps I've deployed, and ended-up abandoning them in favour of group sticky bits on directories (wanted to administer the web app with regular account, while still letting the Apache access files using umask 0007).
So, personally, I'd avoid using them.
Best regards
P.S. Sorry for off-topic or if you were already aware of this, but wanted to post it just in case :)
-- Branko Majic Jabber: branko@majic.rs Please use only Free formats when sending attachments to me.
Бранко Мајић Џабер: branko@majic.rs Молим вас да додатке шаљете искључиво у слободним форматима.