Using setfacl to create recursive permissions for Apache with rsync

debian permissions rsync acl
9,638

Issue #1: Rsync is dropping ACLs

After applying the ACL permissions you need to take care that when you perform your rsync that you're using either the -A or --acls switch. This instructs rsync to make sure to preserve these when doing the sync.

excerpt from rsync man page

    -A, --acls                  preserve ACLs (implies -p)

Issue #2: No ACL permissions

In looking at your example it does contain permissions as follows.

traditional perms

# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x

ACLs

default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

But these ACLs are for the creation of new objects, and don't work exactly the way you think. You need to still create an entry for user www-data in addition to the default ACL perms.

Example

$ pwd
/tmp/somedir

$ mkdir data
$ setfacl -R -d -m u:gopher:7 data

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

An experiment

Now let's try and write a file to the data directory as user gopher.

$ sudo -u gopher touch /tmp/somedir/data/afile
touch: cannot touch `/tmp/somedir/data/afile': Permission denied

Look familiar?

Adding additional ACL permissions

It's because you need to add a ACL for the user www-data, the default rules aren't for access, they're for creating new files/directories.

$ setfacl -R -m u:gopher:7 data

Now check the data directory again:

$ getfacl data
# file: data
# owner: root
# group: root
user::rwx
user:gopher:rwx
group::r-x
mask::rwx
other::r-x
default:user::rwx
default:user:gopher:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

The only difference we now have a ACL saying that user gopher has rwx access:

user:gopher:rwx

Repeat the experiment

Try writing a data to the directory again:

$ sudo -u gopher touch /tmp/somedir/data/afile
$

It worked!!! Double check the resulting file:

$ ls -l /tmp/somedir/data/afile
-rw-rw-r--+ 1 gopher gopher 0 Oct  7 21:36 /tmp/somedir/data/afile
Share:
9,638

Related videos on Youtube

Stian Håklev
Author by

Stian Håklev

Updated on September 18, 2022

Comments

  • Stian Håklev
    Stian Håklev over 1 year

    I have a Dokuwiki installation locally, which I regularly sync to my server with rsync. I'm also going to give a friend of mine an ssh account, and host his public Dokuwiki installation. However, I'm having a problem with access permissions - even though the mirror is read-only, Dokuwiki still needs write-permissions to the data directory for cache etc. The Apache server runs as user www-data, and every time I do a rsync, it resets permissions.

    Based on some other answers on this site, I tried using setfacl to set default permissions, but it doesn't seem to work - getfacl indicates that the permissions exist, but Dokuwiki won't run, and when I try to write a file as user www-data, it also doesn't work. What am I missing?

    wiki/data$ sudo su www-data
$ pwd
/var/www/wiki/data
$ whoami
www-data
$ touch hi
touch: cannot touch `hi': Permission denied
$ getfacl /var/www/wiki/data
getfacl: Removing leading '/' from absolute path names
# file: var/www/wiki/data
# owner: stian
# group: admin
user::rwx
group::r-x
other::r-x
default:user::rwx
default:user:www-data:rwx
default:group::r-x
default:mask::rwx
default:other::r-x

    Here's the command I used to set the permissions:

    setfacl -R -d -m u:www-data:7 /var/www/*
    • Gilles 'SO- stop being evil'
      Gilles 'SO- stop being evil' over 10 years
      What command are you using with rsync? Default ACLs should apply. Also please show the ACL of a sample file.
  • Stian Håklev
    Stian Håklev over 10 years
    That makes sense but if you look at the code above, using getfacl, it does list that the file has the appropriate permissions?
  • Gilles 'SO- stop being evil'
    Gilles 'SO- stop being evil' over 10 years
    @StianHåklev No, the file doesn't have the appropriate permissions. It has no ACL beyond the traditional unix permissions, and belongs to the user stian, not www-data. The default ACLs are only applied to newly created files; rsync sets the permissions based on the permissions on the source side. rsync -A will copy ACLs if you have the same ACLs on the source machine, is that the case?

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Preserve ACLs with rsync
How do I use rsync to reliably transfer permissions & ACLs when copying from NTFS internal C: to NTFS External disk?
rsync deploy and file/directories permissions
C# - Windows ACL - Applying Inherited Permissions
How to grant non-root user access only to /var/log directory
How to change NTFS ACLs on linux?
How to allow users to create and delete file(s) / folder(s), but not modify them?
sudo mkdir creates directory as nobody nogroup on mounted directory, then chown not permitted
Any way of maintaining permissions when using NTFS mounted drive in Ubuntu?
Any way to force files to inherit owner permissions from parent directory?