Using setfacl to create recursive permissions for Apache with rsync
Issue #1: Rsync is dropping ACLs
After applying the ACL permissions you need to take care that when you perform your rsync
that you're using either the -A
or --acls
switch. This instructs rsync
to make sure to preserve these when doing the sync.
excerpt from rsync man page
-A, --acls preserve ACLs (implies -p)
Issue #2: No ACL permissions
In looking at your example it does contain permissions as follows.
traditional perms
# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x
ACLs
default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user www-data
in addition to the default ACL perms.
Example
$ pwd
/tmp/somedir
$ mkdir data
$ setfacl -R -d -m u:gopher:7 data
$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
An experiment
Now let's try and write a file to the data
directory as user gopher
.
$ sudo -u gopher touch /tmp/somedir/data/afile
touch: cannot touch `/tmp/somedir/data/afile': Permission denied
Look familiar?
Adding additional ACL permissions
It's because you need to add a ACL for the user www-data
, the default rules aren't for access, they're for creating new files/directories.
$ setfacl -R -m u:gopher:7 data
Now check the data
directory again:
$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:gopher:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x
The only difference we now have a ACL saying that user gopher
has rwx
access:
user:gopher:rwx
Repeat the experiment
Try writing a data to the directory again:
$ sudo -u gopher touch /tmp/somedir/data/afile
$
It worked!!! Double check the resulting file:
$ ls -l /tmp/somedir/data/afile
-rw-rw-r--+ 1 gopher gopher 0 Oct 7 21:36 /tmp/somedir/data/afile
Related videos on Youtube
Stian Håklev
Updated on September 18, 2022Comments
-
Stian Håklev over 1 year
I have a Dokuwiki installation locally, which I regularly sync to my server with rsync. I'm also going to give a friend of mine an ssh account, and host his public Dokuwiki installation. However, I'm having a problem with access permissions - even though the mirror is read-only, Dokuwiki still needs write-permissions to the data directory for cache etc. The Apache server runs as user www-data, and every time I do a rsync, it resets permissions.
Based on some other answers on this site, I tried using setfacl to set default permissions, but it doesn't seem to work - getfacl indicates that the permissions exist, but Dokuwiki won't run, and when I try to write a file as user www-data, it also doesn't work. What am I missing?
wiki/data$ sudo su www-data $ pwd /var/www/wiki/data $ whoami www-data $ touch hi touch: cannot touch `hi': Permission denied $ getfacl /var/www/wiki/data getfacl: Removing leading '/' from absolute path names # file: var/www/wiki/data # owner: stian # group: admin user::rwx group::r-x other::r-x default:user::rwx default:user:www-data:rwx default:group::r-x default:mask::rwx default:other::r-x
Here's the command I used to set the permissions:
setfacl -R -d -m u:www-data:7 /var/www/*
-
Gilles 'SO- stop being evil' over 10 yearsWhat command are you using with rsync? Default ACLs should apply. Also please show the ACL of a sample file.
-
-
Stian Håklev over 10 yearsThat makes sense but if you look at the code above, using getfacl, it does list that the file has the appropriate permissions?
-
Gilles 'SO- stop being evil' over 10 years@StianHåklev No, the file doesn't have the appropriate permissions. It has no ACL beyond the traditional unix permissions, and belongs to the user
stian
, notwww-data
. The default ACLs are only applied to newly created files; rsync sets the permissions based on the permissions on the source side.rsync -A
will copy ACLs if you have the same ACLs on the source machine, is that the case?