unix/setfacl: set directory default acl for correct permission inheritance

permissions unix access-control-list file-permissions

28,162

Solution 1

well, i should've just read the manual...

https://web.archive.org/web/20151220084629/http://turing.suse.de/~agruen/acl/linux-acls/online/
Section 'How ACLs Work'

my group bit was to restrictive (r-w), which restricted the mask to r-x, and subsequently the named users in my ACL could not write

actually, it's rather simple :)

Solution 2

I cannot reproduce what you get; I get the expected behaviour whether I include the m:rwx or not. This is on a Linux Ubuntu 10.04 LTS (Lucid Lynx) with kernel 2.6.32-24-generic, the ext4 filesystem and setfacl v. 2.2.49: (Users 'bhm' and 'test')

$ pwd
/data/musikk/dir
$ setfacl -b .
$ setfacl -m u:bhm:rwx,u:test:rwx,m:rwx .
$ setfacl -dm u:bhm:rwx,u:test:rwx,m:rwx .
$ getfacl .
# file: .
# owner: bhm
# group: bhm
user::rwx
user:bhm:rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:bhm:rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

$ su -s /bin/bash test
Password: 
test@hva:/data/musikk/dir$ mkdir testdir
test@hva:/data/musikk/dir$ getfacl testdir
# file: testdir
# owner: test
# group: test
user::rwx
user:bhm:rwx
user:test:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:bhm:rwx
default:user:test:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

28,162

Author by

fholzer

Updated on September 17, 2022

Comments

fholzer over 1 year

I have several svn repositories in /projects/svn which should be writeable by 2 users, mine (unix), and wwwrun (apache, for svn over http)

newly created folders and file should be read/writeable by both users

i played around with setfacl but couldn't get it working the way i need it

my attempt was as follows:

unknown:/projects/svn # setfacl -b .
unknown:/projects/svn # setfacl -m u:unix:rwx,u:wwwrun:rwx,m:rwx .
unknown:/projects/svn # setfacl -dm u:unix:rwx,u:wwwrun:rwx,m:rwx .
unknown:/projects/svn # getfacl .
# file: .
# owner: unix
# group: users
user::rwx
user:wwwrun:rwx
user:unix:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:wwwrun:rwx
default:user:unix:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

unknown:/projects/svn # su -s /bin/bash wwwrun
wwwrun@unknown:/projects/svn> md test
wwwrun@unknown:/projects/svn> getfacl test
# file: test
# owner: wwwrun
# group: www
user::rwx
user:wwwrun:rwx                 #effective:r-x
user:unix:rwx                   #effective:r-x
group::r-x
mask::r-x
other::r-x
default:user::rwx
default:user:wwwrun:rwx
default:user:unix:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

wwwrun@unknown:/projects/svn>

as you can see, my user (unix) has only r-x (as effective) permissions

fholzer over 13 years

now the mask is automatically calculated, which results in a default:mask:rwx and mask:r-x => again, effective permissions: r-x is what i want actually possible access control lists
fholzer over 13 years

hm, that's strange, i run openSUSE 11.2, Linux 2.6.34.1-default, setfacl 2.2.48. I tried it again, with different users and different directories. i can't figure out why it doesn't work for me...
David Gardner over 7 years

Link now dead - please add the actual content instead :)
fholzer over 7 years

waybackmachine has a snapshot of the link. just updated it; only one image is missing