Setting per-directory umask using ACLs

linux permissions access-control-list umask posix
14,545

This is a typical job for ACLs :-)

Your example

$ mkdir /tmp/foo

Set the permissions for the directory itself

$ setfacl -m g::rwx -m o::rx  /tmp/foo

Set the permissions for the newly created directory and files in that directory.

$ setfacl -m default:g::rwx -m o::rx  /tmp/foo

Test

$ mkdir /tmp/foo/bar
$ touch /tmp/foo/bar/baz.py
$ ls -ld /tmp/foo/bar /tmp/foo/bar/baz.py
drwxrwxr-x+ 2 jdoe jdoe 4096 Mar 10 00:06 /tmp/foo/bar
-rw-rw-r--  1 jdoe jdoe    0 Mar 10 00:06 /tmp/foo/bar/baz.py

Explanations

  • The concept of mask is very different with ACL and Unix permissions mask. the ACL's mask is an attribute of the file... which restrict the maximum permission granted through ACL (mask:r-x + group:foo:rwx => effective permissions = r-x)
  • Warning: modifying the Unix permission of the group, also modifies the ACL's mask (by design!).

Suggestions

  • Use setgid (like chmod 2755), so you control which group can write to the file.
  • and/or explicitly grant permissions to a group setfacl -m group:dev_team:rwx
Share:
14,545

Related videos on Youtube

Yarin
Author by

Yarin

Updated on September 18, 2022

Comments

  • Yarin
    Yarin almost 2 years

    We want to mimic the behavior of a system-wide 002 umask on a certain directory foo, in order to ensure the following result:

    1. All sub-directories created underneath foo will have 775 permissions
    2. All files created underneath foo and subdirectories will have 664 permissions
    3. 1 and 2 will happen for files/dirs created by all users, including root, and all daemons.

    Assuming that ACL is enabled on our partition, this is the command we came up with: 

    setfacl -R -d -m mask:002 foo

    ... but this doesn't work. New files created in the directory end up looking like:

    -rw--w-r--+

    When I run getfacl on the new file, I get:

    # file: newfile.py
    # owner: root
    # group: agroup
    user::rw-
    group::rwx #effective:-w-
    mask::-w-
    other::r--

    In other words, applying a mask:200 with ACL is not the same as applying umask 200.

    So is there a way to apply a per-directory umask with an ACL?

  • andreas-h
    andreas-h almost 9 years
    @Yarin: Did this work for you?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Can I override my umask using ACLs to make all files created in a given directory world readable?
How to prevent file owner from changing/deleting their own file? Linux CentOS
NFSv3 + ACL: mask is gone on clients
Conflicts between ACLs and umask
Specify default group and permissions for new files in a certain directory
How to allow members of a group to change file permissions on linux
setfacl to reset file to default permissions?
linux/setfacl - Set all current/future files/directories in parent directory to 775 with specified owner/group
How does umask affect ACLs?
Downsides of umask 077?